Welcome! Log In Create A New Profile

Re: NGINX not checking OCSP for revoked certificates

Forum List Message List New Topic Print View

alexsamad

October 14, 2016 04:52AM

Registered: 7 years ago
Posts: 42

What I had to do was sent the depth to the number or greater than the
number of ca's and I had to get all the crl's for each CA and concat
into a crl file.

On 14 October 2016 at 16:49, Zeal Vora <zeal@freecharge.com> wrote:
> Thanks Maxim.
>
> I tried changing the ssl_verify_depth to 1 from value of 2 however still I
> get 400 Bad Request for all the certificates ( Valid and Revoked ).
>
> I checked the error_log file, there are no entries in that file. It all
> works when I remove the ssl_crl option ( however then revoked certificates
> are allowed ).
>
> Just for bit more info, I downloaded the CRL from ADCS which is in form of
> test.crl which I convert it to .pem format with openssl.
>
>
>
>
> On Thu, Oct 13, 2016 at 6:27 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:
>>
>> Hello!
>>
>> On Thu, Oct 13, 2016 at 03:07:25PM +0530, Zeal Vora wrote:
>>
>> > Hi
>> >
>> > We've implemented basic Certificate Based Authentication for Nginx.
>> >
>> > However whenever the certificate is revoked, Nginx still allows the
>> > client
>> > ( with revoked certificate ) to access the website.
>> >
>> > I verified manually with openssl with OCSP URI and OCSP seems to be
>> > working
>> > properly. Nginx doesn't seem to be forwarding request to OCSP before
>> > allowing client.
>>
>> That's because nginx doesn't support OCSP validation of client
>> certificates. Use CRLs instead.
>>
>> > I tried to specify the ssl_crl but as soon as I put it, all the clients
>> > starts to receive 400 Bad Request.
>> >
>> > Here is my sample relevant Nginx Config :-
>> >
>> >
>> > ### SSL cert files ###
>> >
>> > ssl_client_certificate /test/ca.crt;
>> > ssl_verify_client optional;
>> >
>> > ssl_crl /prod-adcs/latest.pem;
>> > ssl_verify_depth 2;
>> >
>> >
>> > Is there something that I'm missing here ?
>>
>> Your error log should have details. Given you are using verify
>> depth set to 2, most likely there is no CRL for the root
>> certificate itself, and that's why nginx complaining.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
NGINX not checking OCSP for revoked certificates	Zeal Vora	October 13, 2016 05:38AM
Re: NGINX not checking OCSP for revoked certificates	Maxim Dounin	October 13, 2016 08:58AM
Re: NGINX not checking OCSP for revoked certificates	Zeal Vora	October 14, 2016 01:50AM
Re: NGINX not checking OCSP for revoked certificates	alexsamad	October 14, 2016 04:52AM
Re: NGINX not checking OCSP for revoked certificates	Zeal Vora	October 14, 2016 06:04AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 307

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018