Welcome! Log In Create A New Profile

Advanced

how to force/send TLS Certificate Request for all client connections, in client-side ssl-verification?

Previous Message Next Message
Forum List Message List New Topic Print View
PGNet Dev
July 02, 2019 11:54PM
I've setup my nginx server with self-signed SSL server-side certs, using my own/local CA.

Without client-side verifications, i.e. just an unverified-TLS connection, all's good.

If I enable client-side SSL cert verification with,

ssl_certificate "ssl/example.com.server.crt.pem";
ssl_certificate_key "ssl/example.com.server.key.pem";
ssl_verify_client on;
ssl_client_certificate "ssl_cert_dir/CA_intermediate.crt.pem";
ssl_verify_depth 2;

, a connecting android app is failing on connect, receiving FROM the nginx server,

HTTP RESPONSE:
Response{protocol=http/1.1, code=400, message=Bad Request, url=https://proxy.example.com/dav/myuser%40example.com/3d75dc22-8afc-1946-5b3f-4d84e9b28432/}
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

I've been unsuccessful so far using tshark/ssldump to decrypt the SSL handshake; I suspect (?) it's because my certs are ec signed. Still working on that ...

In 'debug' level nginx logs, I see

2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'35:5'
2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'2F:/'
2019/06/30 21:58:14 [debug] 41777#41777: *7 http uri: "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http args: ""
2019/06/30 21:58:14 [debug] 41777#41777: *7 http exten: ""
2019/06/30 21:58:14 [debug] 41777#41777: *7 posix_memalign: 0000558C35B3C840:4096 @16
2019/06/30 21:58:14 [debug] 41777#41777: *7 http process request header line
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Depth: 0"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Type: application/xml; charset=utf-8"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Length: 241"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Host: proxy.example.com"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Connection: Keep-Alive"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Encoding: gzip"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Language: en-US, en;q=0.7, *;q=0.5"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Authorization: Basic 1cC5...WUVi"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header done
2019/06/30 21:58:14 [info] 41777#41777: *7 client sent no required SSL certificate while reading client request headers, client: 10.0.1.235, server: proxy.example.com, request: "PROPFIND /dav/myuser%40example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/ HTTP/1.1", host: "proxy.example.com"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http finalize request: 496, "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?" a:1, c:1
2019/06/30 21:58:14 [debug] 41777#41777: *7 event timer del: 15: 91237404
2019/06/30 21:58:14 [debug] 41777#41777: *7 http special response: 496, "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http set discard body
2019/06/30 21:58:14 [debug] 41777#41777: *7 headers more header filter, uri "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
2019/06/30 21:58:14 [debug] 41777#41777: *7 charset: "" > "utf-8"
2019/06/30 21:58:14 [debug] 41777#41777: *7 HTTP/1.1 400 Bad Request
Date: Mon, 01 Jul 2019 04:58:14 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 230
Connection: close
Secure: Groupware Server
X-Content-Type-Options: nosniff

In comms with the app vendor, I was asked

Does your proxy send TLS Certificate Request

https://tools.ietf.org/html/rfc5246#section-7.4.4?

... the TLS stack which is used ... won't send certificates preemptively, but only when they're requested. In my tests, client certificates are working as expected, but ONLY if the server explicitly requests them.


I don't recognize the preemptive request above.

DOES nginx send such a TLS Certificate Request by default? Is there a required, additional config to force that request?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

how to force/send TLS Certificate Request for all client connections, in client-side ssl-verification?

PGNet Dev July 02, 2019 11:54PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 303
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready