Hello!

On Wed, Sep 19, 2018 at 03:59:58PM -0400, kpuscas wrote:

> Our service uses 2-way ssl with our clients connecting to our systems. With
> each new client we add their intermediate and root CA chain to the
> concatenated certificates file used by ssl_client_certificate. We recently
> upgraded to 1.14.0 (and the included modules) and now some, but not all of
> our customers are unable to connect getting 400 errors. We've tried changing
> the order of the certificates in the concatenated file but that didn't help.
> It is happening across different certificate chains but not all. And all of
> them worked fine prior to the upgrade.
>
> Has anyone else encountered this or is there something we should be doing
> different in how we set up these certificates?

There were no recent changes in nginx related to client
certificate validation. On the other hand, there were changes in
OpenSSL - most notably, OpenSSL 1.1.0+ now by default rejects
MD5-signed certificates and/or certificates with less than
1024-bit RSA keys.

This might be the reason for problems you have with some
certificates, assuming you've upgraded not only nginx but also
switched to a newer OpenSSL library.

You may also want to take a look at nginx error logs. When nginx
returns a 400 error, it logs the reason to the error log at the
"info" level.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx