Problem with Client SSL certificates
| February 10, 2012 04:33AM |
Registered: 12 years ago Posts: 4 |
I tried to configure nginx with client certificates, but only get 400 Bad Request (No required SSL certificate was sent)
Here is my Setup:
Nginx 0.7.65 on Ubuntu 10.4.3 with php5-fmp 5.3.2-1
I set up a vhost configuration for testing these client certificates:
server {
listen 443;
ssl on;
ssl_session_timeout 30m;
server_name test.myserver.lan;
error_log /var/log/nginx/debug.log debug;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location / {
root /var/www/test;
fastcgi_pass unix:/tmp/php.sock;
fastcgi_param SCRIPT_FILENAME /var/www/test/test.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
For testing I generated a selfsigned server key and server cert. Later in production this server certificate should be changed to a trusted certificate from an official CA-Authority. This part is working fine.
The Problem began with the client certificates.
Here are the steps I did:
1. Generate a root ca (only for the client certificates)
> openssl genrsa -des3 -out ca.key 4096
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2. Generate the self signed client certificate
>openssl genrsa -des3 -out client.key 4096
>openssl req -new -key client.key -out client.csr
>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
3. Convert to PKCS
>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
4.Import the client.p12 to Firefox
I got 400 Bad Request (No required SSL certificate was sent)
Serverlog says:
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL handshake handler: 0
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL: TLSv1, cipher: "DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: 434
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 http request line: "GET / HTTP/1.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http uri: "/"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http args: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http exten: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request header line
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Host: test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Encoding: gzip, deflate"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Connection: keep-alive"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cookie: PHPSESSID=5nn4bei3plftd5r12790kk12n1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cache-Control: max-age=0"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header done
2012/02/10 10:13:23 [info] 30297#0: *8819 client sent no required SSL certificate while reading client request headers, client: 150.102.1.193, server: test.myserver.lan, request: "GET / HTTP/1.1", host: "test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http finalize request: 496, "/?" 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 event timer del: 12: 1720368829
2012/02/10 10:13:23 [debug] 30297#0: *8819 http special response: 496, "/?"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http set discard body
2012/02/10 10:13:23 [debug] 30297#0: *8819 HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Date: Fri, 10 Feb 2012 09:13:23 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
To see a little more output from client side:
>curl -v -s -k https://test.myserver.lan
* About to connect() to port 443 (#0)
* Trying 150.102.5.20... connected
* Connected to test.myserver.lan (150.102.5.20) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=DE; ST=RLP; L=MyCity; O=My company; OU=My Company; CN=test.myserver.lan; emailAddress=admin@myserver.lan
* start date: 2012-02-06 10:15:29 GMT
* expire date: 2013-02-05 10:15:29 GMT
* common name: test.myserver.lan
* issuer: C=DE; ST=RLP; L=MyCity; O=My Company; OU=My Company; CN=test.myserver.lan; emailAddress=admin@myserver.lan
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: test.myserver.lan
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/0.7.65
< Date: Fri, 10 Feb 2012 09:19:00 GMT
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/0.7.65</center>
</body>
</html>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
When I interprete the log files right, there is only a SSL handshake for the server cert authentication?!?!?
Has anybody a hint where is the mistake?
Here is my Setup:
Nginx 0.7.65 on Ubuntu 10.4.3 with php5-fmp 5.3.2-1
I set up a vhost configuration for testing these client certificates:
server {
listen 443;
ssl on;
ssl_session_timeout 30m;
server_name test.myserver.lan;
error_log /var/log/nginx/debug.log debug;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location / {
root /var/www/test;
fastcgi_pass unix:/tmp/php.sock;
fastcgi_param SCRIPT_FILENAME /var/www/test/test.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
For testing I generated a selfsigned server key and server cert. Later in production this server certificate should be changed to a trusted certificate from an official CA-Authority. This part is working fine.
The Problem began with the client certificates.
Here are the steps I did:
1. Generate a root ca (only for the client certificates)
> openssl genrsa -des3 -out ca.key 4096
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2. Generate the self signed client certificate
>openssl genrsa -des3 -out client.key 4096
>openssl req -new -key client.key -out client.csr
>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
3. Convert to PKCS
>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
4.Import the client.p12 to Firefox
I got 400 Bad Request (No required SSL certificate was sent)
Serverlog says:
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL handshake handler: 0
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL: TLSv1, cipher: "DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: 434
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 http request line: "GET / HTTP/1.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http uri: "/"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http args: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http exten: ""
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request header line
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Host: test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Encoding: gzip, deflate"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Connection: keep-alive"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cookie: PHPSESSID=5nn4bei3plftd5r12790kk12n1"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: "Cache-Control: max-age=0"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header done
2012/02/10 10:13:23 [info] 30297#0: *8819 client sent no required SSL certificate while reading client request headers, client: 150.102.1.193, server: test.myserver.lan, request: "GET / HTTP/1.1", host: "test.myserver.lan"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http finalize request: 496, "/?" 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 event timer del: 12: 1720368829
2012/02/10 10:13:23 [debug] 30297#0: *8819 http special response: 496, "/?"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http set discard body
2012/02/10 10:13:23 [debug] 30297#0: *8819 HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Date: Fri, 10 Feb 2012 09:13:23 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
To see a little more output from client side:
>curl -v -s -k https://test.myserver.lan
* About to connect() to port 443 (#0)
* Trying 150.102.5.20... connected
* Connected to test.myserver.lan (150.102.5.20) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=DE; ST=RLP; L=MyCity; O=My company; OU=My Company; CN=test.myserver.lan; emailAddress=admin@myserver.lan
* start date: 2012-02-06 10:15:29 GMT
* expire date: 2013-02-05 10:15:29 GMT
* common name: test.myserver.lan
* issuer: C=DE; ST=RLP; L=MyCity; O=My Company; OU=My Company; CN=test.myserver.lan; emailAddress=admin@myserver.lan
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: test.myserver.lan
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/0.7.65
< Date: Fri, 10 Feb 2012 09:19:00 GMT
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/0.7.65</center>
</body>
</html>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
When I interprete the log files right, there is only a SSL handshake for the server cert authentication?!?!?
Has anybody a hint where is the mistake?
| Subject | Author | Posted |
|---|---|---|
|
cyberchriss | February 10, 2012 04:33AM |
Sorry, only registered users may post in this forum.
Online Users
Guests:
253
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|