Welcome! Log In Create A New Profile

Advanced

HPKP report-uri and nginx ssl_verify_client

Marcus Schopen
October 30, 2016 04:36PM
Hi,

on a host I'd like to send HPKP reports to ssl_verify_client is set to
"optional":

ssl_client_certificate /etc/nginx/ssl/CA.pem;
ssl_verify_client optional;

If HPKP policy fails (for another domain), Chrome (54.0.2840.71
(64-bit)) sends HPKP reports to that reporting host, but the post ends
with an "ERR_SSL_CLIENT_AUTH_CERT_NEEDED" error, which in my
understanding is not correct, because /hpkp-report path doesn't require
a client certificate for authentication. Chrome bug?

chrome://net-internals/#events
-----------------
322: URL_REQUEST
https://www.example.org/hpkp-report
Start Time: 2016-10-30 16:56:20.278

t=4559 [st= 0] +REQUEST_ALIVE [dt=75]
t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0]
t=4559 [st= 0] +URL_REQUEST_START_JOB [dt=75]
--> load_flags = 1618 (BYPASS_CACHE | DISABLE_CACHE |
DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES)
--> method = "POST"
--> priority = "LOWEST"
--> upload_id = "0"
--> url = "https://www.example.org/hpkp-report"
t=4559 [st= 0] URL_REQUEST_DELEGATE [dt=0]
t=4559 [st= 0] HTTP_CACHE_GET_BACKEND [dt=0]
t=4559 [st= 0] +HTTP_STREAM_REQUEST [dt=75]
t=4559 [st= 0] HTTP_STREAM_REQUEST_STARTED_JOB
--> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 323 (HTTP_STREAM_JOB)
t=4634 [st=75] -HTTP_STREAM_REQUEST
t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0]
t=4634 [st=75] CANCELLED
--> net_error = -110
(ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75] -URL_REQUEST_START_JOB
--> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
t=4634 [st=75] URL_REQUEST_DELEGATE [dt=0]
t=4634 [st=75] -REQUEST_ALIVE
-----------------

If I type in https://www.example.org/hpkp-report in Chrome's address bar
I don't get an SSL error (tested with different clients).

Ciao
Marcus

--
I think we dream so we don't have to be apart so long. If we're in each
other's dreams, we can play together all night. -- Calvin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

HPKP report-uri and nginx ssl_verify_client

Marcus Schopen October 30, 2016 04:36PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready