I tried to configure nginx with client certificates, but only get 400
Bad Request (No required SSL certificate was sent)
Here is my Setup:
Nginx 0.7.65 on Ubuntu 10.4.3 with php5-fmp 5.3.2-1
I set up a vhost configuration for testing these client certificates:
server {
listen 443;
ssl on;
ssl_session_timeout 30m;
server_name test.myserver.lan;
error_log /var/log/nginx/debug.log debug;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location / {
root /var/www/test;
fastcgi_pass unix:/tmp/php.sock;
fastcgi_param SCRIPT_FILENAME
/var/www/test/test.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
For testing I generated a selfsigned server key and server cert. Later
in production this server certificate should be changed to a trusted
certificate from an official CA-Authority. This part is working fine.
The Problem began with the client certificates.
Here are the steps I did:
- Generate a root ca (only for the client certificates)
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Generate the self signed client certificate
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out client.crt
- Convert to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out
client.p12
4.Import the client.p12 to Firefox
I got 400 Bad Request (No required SSL certificate was sent)
Serverlog says:
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL handshake handler: 0
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL: TLSv1, cipher:
“DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: 434
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 http request line: “GET /
HTTP/1.1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http uri: “/”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http args: “”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http exten: “”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request header
line
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Host:
test.myserver.lan”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: “User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101
Firefox/7.0.1”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
“Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
“Accept-Encoding: gzip, deflate”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: "Accept-Charset:
ISO-8859-1,utf-8;q=0.7,;q=0.7"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Connection:
keep-alive”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Cookie:
PHPSESSID=5nn4bei3plftd5r12790kk12n1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Cache-Control:
max-age=0”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header done
2012/02/10 10:13:23 [info] 30297#0: *8819 client sent no required SSL
certificate while reading client request headers, client: 150.102.1.193,
server: test.myserver.lan, request: “GET / HTTP/1.1”, host:
“test.myserver.lan”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http finalize request: 496,
“/?” 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 event timer del: 12:
1720368829
2012/02/10 10:13:23 [debug] 30297#0: *8819 http special response: 496,
“/?”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http set discard body
2012/02/10 10:13:23 [debug] 30297#0: *8819 HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Date: Fri, 10 Feb 2012 09:13:23 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
To see a little more output from client side:
curl -v -s -k https://test.myserver.lan
- About to connect() to port 443 (#0)
- Trying 150.102.5.20… connected
- Connected to test.myserver.lan (150.102.5.20) port 443 (#0)
- successfully set certificate verify locations:
- CAfile: none
CApath: /etc/ssl/certs - SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server key exchange (12):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using DHE-RSA-AES256-SHA
- Server certificate:
-
subject: C=DE; ST=RLP; L=MyCity; O=My company; OU=My Company;
CN=test.myserver.lan; [email protected]
-
start date: 2012-02-06 10:15:29 GMT
-
expire date: 2013-02-05 10:15:29 GMT
-
common name: test.myserver.lan
-
issuer: C=DE; ST=RLP; L=MyCity; O=My Company; OU=My Company;
CN=test.myserver.lan; [email protected]
-
SSL certificate verify result: self signed certificate (18),
continuing anyway.
GET / HTTP/1.1
User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Host: test.myserver.lan
Accept: /
< HTTP/1.1 400 Bad Request
< Server: nginx/0.7.65
< Date: Fri, 10 Feb 2012 09:19:00 GMT
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<
400 Bad Request
No required SSL certificate was sentnginx/0.7.65 * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
When I interprete the log files right, there is only a SSL handshake for
the server cert authentication?!?!?
Has anybody a hint where is the mistake?
Posted at Nginx Forum: