Problem of configuring client cert verification

Hey I have a config like this:

server {
server_name foo;
listen 10.117.0.150:3443;
ssl_on;
ssl_certification /opt/mycrt/nginx.crt;
ssl_private_key /opt/mycrt/nginx.key;
ssl_verify_client on;
ssl_client_certificate /opt/mycrt/nginx.foo.ca.crt;

location = /certauth {
}

location / {
return 403;
}
}

server {
server_name bar;
listen 10.117.0.150:3443;
ssl_on;
ssl_certification /opt/mycrt/nginx.crt;
ssl_private_key /opt/mycrt/nginx.key;
ssl_verify_client on;
ssl_client_certificate /opt/mycrt/nginx.bar.ca.crt;

location = /certauth {
}

location / {
return 403;
}
}

Note two server name share the same IP. If I set both server config’s
client certification verify on, it works well. That is, access
https://foo:3443/certauth and https://bar:3443/certauth are both OK with
correct certificates (the first cert is signed by nginx.foo.ca.crt and
the second is signed by nginx.bar.ca.crt).

However, if I set the first server block’s “ssl_verify_client” to “off”
and remove the location block for “= /certauth”, both server will return
the 403 error. In other words, the disabling of client cert verify in
“foo” also makes client cert verify in “bar” server disabled.

If I assign a new IP 10.117.0.151 to server “bar” and try with foo’s
client cert verify “off” and bar’s “on”, it works as expected – foo
always return the 403 error and bar can correctly return the normal
page.

I’ve checked and confirm my nginx’ SNI is enabled and my openssl is
1.0.0c, my nginx’s version is 0.9.3.

Is this expected, a bug, or I did something wrong in the config?

Thanks.

Posted at Nginx Forum:

Hello!

On Wed, Aug 10, 2011 at 02:26:15AM -0400, speedfirst wrote:

listen 10.117.0.150:3443;
return 403;
and remove the location block for “= /certauth”, both server will return

Is this expected, a bug, or I did something wrong in the config?

Try this patch:

http://mailman.nginx.org/pipermail/nginx-devel/2011-June/000985.html

Maxim D.

Thanks. Tried but doesn’t work

Posted at Nginx Forum:

Hello!

On Thu, Aug 11, 2011 at 01:33:18AM -0400, speedfirst wrote:

Thanks. Tried but doesn’t work

Could you please show some full actual config you are able to
reproduce the problem with (the one posted is obviously incorrect,
as there are no directives like “ssl_on” and “ssl_private_key”)?

While the patch is required for proper per-server SNI-based client
cert verification, closer look on your original post suggests that
you shouldn’t see 403 anyway. Instead, request to “bar” with
ssl_verify_client switched off in default “foo” server will result
in “400 Bad Request” error without the patch (with the patch
everything should be OK and works fine here, just tested with
0.9.3 too to make sure). Therefore I suspect there is some
another problem, probably configuration or testing one.

Maxim D.