I've setup my nginx server with self-signed SSL server-side certs, using my own/local CA.
Without client-side verifications, i.e. just an unverified-TLS connection, all's good.
If I enable client-side SSL cert verification with,
ssl_certificate "ssl/example.com.server.crt.pem";
ssl_certificate_key "ssl/example.com.server.key.pem";
ssl_verify_client on;
ssl_client_certificate "ssl_cert_dir/CA_intermediate.crt.pem";
ssl_verify_depth 2;
, a connecting android app is failing on connect, receiving FROM the nginx server,
HTTP RESPONSE:
Response{protocol=http/1.1, code=400, message=Bad Request, url=https://proxy.example.com/dav/myuser%40example.com/3d75dc22-8afc-1946-5b3f-4d84e9b28432/}
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>
I've been unsuccessful so far using tshark/ssldump to decrypt the SSL handshake; I suspect (?) it's because my certs are ec signed. Still working on that ...
In 'debug' level nginx logs, I see
2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'35:5'
2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'2F:/'
2019/06/30 21:58:14 [debug] 41777#41777: *7 http uri: "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http args: ""
2019/06/30 21:58:14 [debug] 41777#41777: *7 http exten: ""
2019/06/30 21:58:14 [debug] 41777#41777: *7 posix_memalign: 0000558C35B3C840:4096 @16
2019/06/30 21:58:14 [debug] 41777#41777: *7 http process request header line
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Depth: 0"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Type: application/xml; charset=utf-8"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Length: 241"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Host: proxy.example.com"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Connection: Keep-Alive"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Encoding: gzip"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Accept-Language: en-US, en;q=0.7, *;q=0.5"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Authorization: Basic 1cC5...WUVi"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http header done
2019/06/30 21:58:14 [info] 41777#41777: *7 client sent no required SSL certificate while reading client request headers, client: 10.0.1.235, server: proxy.example.com, request: "PROPFIND /dav/myuser%40example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/ HTTP/1.1", host: "proxy.example.com"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http finalize request: 496, "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?" a:1, c:1
2019/06/30 21:58:14 [debug] 41777#41777: *7 event timer del: 15: 91237404
2019/06/30 21:58:14 [debug] 41777#41777: *7 http special response: 496, "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/?"
2019/06/30 21:58:14 [debug] 41777#41777: *7 http set discard body
2019/06/30 21:58:14 [debug] 41777#41777: *7 headers more header filter, uri "/dav/myuser@example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
2019/06/30 21:58:14 [debug] 41777#41777: *7 charset: "" > "utf-8"
2019/06/30 21:58:14 [debug] 41777#41777: *7 HTTP/1.1 400 Bad Request
Date: Mon, 01 Jul 2019 04:58:14 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 230
Connection: close
Secure: Groupware Server
X-Content-Type-Options: nosniff
In comms with the app vendor, I was asked
Does your proxy send TLS Certificate Request
https://tools.ietf.org/html/rfc5246#section-7.4.4?
... the TLS stack which is used ... won't send certificates preemptively, but only when they're requested. In my tests, client certificates are working as expected, but ONLY if the server explicitly requests them.
I don't recognize the preemptive request above.
DOES nginx send such a TLS Certificate Request by default? Is there a required, additional config to force that request?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx