Hi, So far we were able to run nginx (1.0.x & 1.2.x) with SSL client verification enabled where certs were signed by single root CA: ssl on; ssl_certificate server_cert_signed_by_CA.pem; ssl_certificate_key server_key.pem; ssl_client_certificate ca_cert.pem; ssl_verify_client optional; Now we would like to introduce chained CAs: root CA -> intermediate CA -> client cert so nginx should be able to verify client certificates which are signed by intermediate CA. Unfortunately I was not able make it working (I see that development version 1.3.x has some additional options which would suggest that this setup can work with it). Is this setup possible with nginx 1.2.x ? Some other people had identical problem: http://stackoverflow.com/questions/8431528/nginx-s... SSL module documentation (http://wiki.nginx.org/HttpSslModule) mentions that SSL module "supports checking client certificates with two limitations" whereas 2nd limitation seems to be related to server cetificate rather than client certificate. Is this a bad wording or am I missing something there ? Regards, Marcin
on 2012-10-30 11:17
on 2012-10-30 12:39
On Tue, 30 Oct 2012 11:17:41 +0100 Marcin Deranek <marcin.deranek@booking.com> wrote: > would suggest that this setup can work with it). Is this setup > possible with nginx 1.2.x ? I have enabled additional debugging and got this in logs: client SSL certificate verify error: (26:unsupported certificate purpose) while SSL handshaking Looks like our security team needs to re-generate certificates. I'm sorry for the noise. Marcin
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.