i run

nginx -v
nginx version: nginx/1.23.3 (COPR Build)

the server's setup to use LE certs


server {

...
ssl_trusted_certificate "/www/sec/le/deploy/otherexample.com/intermediate_ca.ec.crt.pem";
ssl_certificate "/www/sec/le/deploy/otherexample.com/fullchain.ec.crt.pem";
ssl_certificate_key "/www/sec/le/deploy/otherexample.com/priv.ec.key";
...

i've a secure area that i want to limit access to clients only with exact-matching ssl cert fingerprints

i've added

map $ssl_client_fingerprint $test_ssl_fp_reject {
default 1;
# cert's SHA1 FP
01234567890ABCDEFGHIJK1234567890ABCDEFGH 0;
}
...
log_format ssl_client
'"Client fingerprint" $ssl_client_fingerprint '
'"Client DN" $ssl_client_s_dn ';
...

server {
...
# attempt the verify, to populate $ssl_client_fingerprint
ssl_verify_client optional;
ssl_verify_depth 2;
ssl_client_certificate "/etc/ssl/cert.pem";
...
location /sec/test {
if ($test_ssl_fp_reject) {return 403; }

root /www/sec/test;
try_files /test.php =444;
fastcgi_pass phpfpm;
fastcgi_index test.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi.conf;
}
...
access_log /var/log/nginx/ssl.log ssl_client;

the client cert's self-signed with my own CA, and usage's config'd for Client auth,

openssl x509 -in desktop.example.com.client.ec.crt.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4859 (0x12fb)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = NY, O = example.com, OU = example.com_CA, CN = example.com_CA_INT, emailAddress = ssl@example.com
Validity
Not Before: Mar 20 11:17:47 2023 GMT
Not After : Mar 17 11:17:47 2024 GMT
Subject: C = US, ST = NY, L = New_York, O = example.com, OU = example.com_CA, CN = desktop.example.com, emailAddress = ssl@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:...:e5
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
example.com CLIENT Certificate
X509v3 Subject Key Identifier:
CC:...:06
X509v3 Authority Key Identifier:
D0:...:CD
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name:
DNS:desktop.example.com, DNS:www.desktop.example.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:...:6f

i've imported the cert as .pfx into Firefox & Chrome.

i can access

https://otherexample.com

as usual.

now, on access to EITHER of

https://otherexample.com
https://otherexample.com/sec/test

in browser i get

400 Bad Request
The SSL certificate error
nginx

while in log, i _do_ see the captured FP & DN,

tail -f /var/log/nginx/ssl.log

"Client fingerprint" 01234567890ABCDEFGHIJK1234567890ABCDEFGH "Client DN" emailAddress=ssl@example.com,CN=desktop.example.com,OU=example.com_CA,O=example.com,L=New_York,ST=NY,C=US


if i toggle

- ssl_verify_client optional;
+ ssl_verify_client off;

now, access to

https://otherexample.com

works. but

https://otherexample.com/sec/test

returns

403 Forbidden
nginx

since the $ssl_client_fingerprint doesn't populate

tail -f /var/log/nginx/ssl.log

"Client fingerprint" - "Client DN" -

and, if I turn off ALL client verification, then access to frontend and by secure area works as expected.

what config change's needed to

(1) keep the site publicly accessible using the LE certs"
(2) lock down to secure area for exact FP-match access only?
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx