Welcome! Log In Create A New Profile

Advanced

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin
June 01, 2020 11:44AM
Hello!

On Fri, May 29, 2020 at 07:09:45PM -0700, PGNet Dev wrote:

>  I'm running
>
> nginx -V
> nginx version: nginx/1.19.0 (pgnd Build)
> built with OpenSSL 1.1.1g 21 Apr 2020
> TLS SNI support enabled
> ...
>
> It serves as front-end SSL termination, site host, and reverse-proxy to backend apps.
>
> I'm trying to get a backend app to proxy_ssl_verify the proxy connection to it.
>
> I have two self-signed certs:
>
> One for "TLS Web Client Authentication, E-mail Protection"
>
> openssl x509 -in test.example.com.client.crt -text | egrep "Subject.*CN|DNS|TLS"
> Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl@example2.com
> TLS Web Client Authentication, E-mail Protection
> DNS:test.example.com, DNS:www.test.example.com, DNS:localhost
>
> and the other, for "TLS Web Server Authentication"
>
> openssl x509 -in test.example.com.server.crt -text | egrep "Subject.*CN|DNS|TLS"
> Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl@example2.com
> TLS Web Server Authentication
> DNS:test.example.com, DNS:www.test.example.com, DNS:localhost
>
> The certs 'match' CN & SAN, differing in "X509v3 Extended Key Usage".
>
> Both are verified "OK" with my local CA cert
>
> openssl verify -CAfile myCA.crt.pem test.example.com.server.crt
> test.example.com.server.crt: OK
>
> openssl verify -CAfile /myCA.crt.pem test.example.com.client.crt
> test.example.com.client.crt: OK
>
> My main nginx config includes,
>
> upstream test.example.com {
> server test.example.com:11111;
> }
> server {
>
> listen 10.10.10.1:443 ssl http2;
> server_name example.com;
> ...
>
> ssl_verify_client on;
> ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
> ssl_verify_depth 2;
> ssl_certificate "/etc/ssl/nginx/example.com.server.crt";
> ssl_certificate_key "/etc/ssl/nginx/example.com.server.key";
> ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
>
> location /app1 {
> proxy_pass https://test.example.com;
> proxy_ssl_certificate "/etc/ssl/nginx/test.example.com.client.crt";
> proxy_ssl_certificate_key "/etc/ssl/nginx/test.example.com.client.key";
> proxy_ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
> proxy_ssl_verify on;
> proxy_ssl_verify_depth 2;
> include includes/reverse-proxy.inc;
> }
> }
>
> and the upstream config,
>
> server {
> listen 127.0.0.1:11111 ssl http2;
> server_name test.example.com;
>
> root /data/webapps/demo_app/;
> index index.php;
> expires -1;
>
> ssl_certificate "/etc/ssl/nginx/test.example.com.server.crt";
> ssl_certificate_key "/etc/ssl/nginx/test.example.com.server.key";
>
> ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
> ssl_verify_client optional;
> ssl_verify_depth 2;
>
> location ~ \.php {
> try_files $uri =404;
> fastcgi_pass phpfpm;
> fastcgi_index index.php;
> fastcgi_param PATH_INFO $fastcgi_script_name;
> include fastcgi_params;
> }
>
> }
>
> access to
>
> https://example.com/app1
>
> responds,
>
> 502 Bad Gateway
>
> logs, show an SSL handshake fail
>
> ...
> 2020/05/29 19:00:06 [debug] 29419#29419: *7 SSL: TLSv1.3, cipher: "TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD"
> 2020/05/29 19:00:06 [debug] 29419#29419: *7 http upstream ssl handshake: "/app1/?"
> 2020/05/29 19:00:06 [debug] 29419#29419: *7 X509_check_host(): no match
> 2020/05/29 19:00:06 [error] 29419#29419: *7 upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream, client: 10.10.10.73, server: example.com, request: "GET /app1/ HTTP/2.0", upstream: "https://127.0.0.1:11111/app1/", host: "example.com"
> 2020/05/29 19:00:06 [debug] 29419#29419: *7 http next upstream, 2
> ...
>
> If I toggle
>
> - ssl_verify_client on;
> + ssl_verify_client off;
>
> then I'm able to connect to the backend site, as expected.
>
> What exactly is NOT matching in the handshake? CN & SAN do ...
>
> &/or, is there a config problem above?

Most likely the problem is that the certificate returned depends
on the name provided via Server Name Indication (SNI). That is,
that the server block in the upstream server configuration is not
the default one, and the default one returns a different
certificate.

Usage of Server Name Indication for upstream SSL connections isn't
enabled by default, and this isn't switched on in your
configuration. Try

proxy_ssl_server_name on;

to see if it helps. See http://nginx.org/r/proxy_ssl_server_name
for details.

You may also try the following patch to provide somewhat better
debug logging when checking upstream server SSL certificates:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1591025575 -10800
# Mon Jun 01 18:32:55 2020 +0300
# Node ID eaa39944438dbb10507760890bddc45c19a5ad6f
# Parent 8cadaf7e7231865f2f81c03cb785c045dda6bf8b
SSL: added verify callback to ngx_ssl_trusted_certificate().

This ensures that certificate verification is properly logged to debug
log during upstream server certificate verification. This should help
with debugging various certificate issues.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -920,6 +920,8 @@ ngx_int_t
ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
SSL_CTX_set_verify_depth(ssl->ctx, depth);

if (cert->len == 0) {



--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev May 29, 2020 10:10PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 01, 2020 11:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 12:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 01:00AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Sergey Kandaurov June 02, 2020 05:52AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 02, 2020 11:28AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 03:12PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:36PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 04:02PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 07:14PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:22PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 04, 2020 11:20AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 76
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready