Welcome! Log In Create A New Profile


ssl stapling, verification fails

April 29, 2015 02:38AM

I'm trying to get nginx 1.6.2 to authenticate users using their client certificates.

I'm using this configuration (besides usual SSL settings, which are proved to work):

ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;

trusted.pem contains 3 CA certificates: test CA and 2 production CA (main and intermediate).
To pass verification data to the application I'm using

fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;

And here comes the issue: when using test CA and test cerificate, I'm getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting X-SSL-Verified: FAILED. You can say that there's a problem in my certificate bunch, but I tried to verify if the production certificate is really issued by the CA that I think about:

openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK

Looks like it passes the verification. trusted.pem is the same that nginx uses. In the same time nginx thinks that certificate doesn't pass the test. Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the only difference that I get the 400 answer, because the verification fails explicitely.

Subject Author Posted

ssl stapling, verification fails

drookie April 29, 2015 02:38AM

Re: ssl stapling, verification fails

Maxim Dounin April 29, 2015 07:36AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 105
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready