Problem with Client SSL certificates

I tried to configure nginx with client certificates, but only get 400
Bad Request (No required SSL certificate was sent)

Here is my Setup:
Nginx 0.7.65 on Ubuntu 10.4.3 with php5-fmp 5.3.2-1

I set up a vhost configuration for testing these client certificates:

server {
listen 443;
ssl on;
ssl_session_timeout 30m;
server_name test.myserver.lan;
error_log /var/log/nginx/debug.log debug;

            ssl_certificate      /etc/nginx/certs/server.crt;
            ssl_certificate_key  /etc/nginx/certs/server.key;

            ssl_client_certificate /etc/nginx/certs/ca.crt;
            ssl_verify_client on;

            location / {
                    root            /var/www/test;
                    fastcgi_pass   unix:/tmp/php.sock;
                    fastcgi_param  SCRIPT_FILENAME

/var/www/test/test.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}

For testing I generated a selfsigned server key and server cert. Later
in production this server certificate should be changed to a trusted
certificate from an official CA-Authority. This part is working fine.

The Problem began with the client certificates.
Here are the steps I did:

  1. Generate a root ca (only for the client certificates)

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

  1. Generate the self signed client certificate

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out client.crt

  1. Convert to PKCS

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out
client.p12

4.Import the client.p12 to Firefox
I got 400 Bad Request (No required SSL certificate was sent)

Serverlog says:
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL handshake handler: 0
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_do_handshake: 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL: TLSv1, cipher:
“DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 post event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 delete posted event 08D3FE40
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request line
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: 434
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_read: -1
2012/02/10 10:13:23 [debug] 30297#0: *8819 SSL_get_error: 2
2012/02/10 10:13:23 [debug] 30297#0: *8819 http request line: “GET /
HTTP/1.1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http uri: “/”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http args: “”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http exten: “”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http process request header
line
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Host:
test.myserver.lan”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: “User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101
Firefox/7.0.1”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,
/
;q=0.8"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
“Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header:
“Accept-Encoding: gzip, deflate”
2012/02/10 10:13:23 [debug] 30297#0: 8819 http header: "Accept-Charset:
ISO-8859-1,utf-8;q=0.7,
;q=0.7"
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Connection:
keep-alive”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Cookie:
PHPSESSID=5nn4bei3plftd5r12790kk12n1”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header: “Cache-Control:
max-age=0”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http header done
2012/02/10 10:13:23 [info] 30297#0: *8819 client sent no required SSL
certificate while reading client request headers, client: 150.102.1.193,
server: test.myserver.lan, request: “GET / HTTP/1.1”, host:
“test.myserver.lan”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http finalize request: 496,
“/?” 1
2012/02/10 10:13:23 [debug] 30297#0: *8819 event timer del: 12:
1720368829
2012/02/10 10:13:23 [debug] 30297#0: *8819 http special response: 496,
“/?”
2012/02/10 10:13:23 [debug] 30297#0: *8819 http set discard body
2012/02/10 10:13:23 [debug] 30297#0: *8819 HTTP/1.1 400 Bad Request
Server: nginx/0.7.65
Date: Fri, 10 Feb 2012 09:13:23 GMT
Content-Type: text/html
Content-Length: 253
Connection: close

To see a little more output from client side:

curl -v -s -k https://test.myserver.lan

  • About to connect() to port 443 (#0)
  • Trying 150.102.5.20… connected
  • Connected to test.myserver.lan (150.102.5.20) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using DHE-RSA-AES256-SHA
  • Server certificate:
  •    subject: C=DE; ST=RLP; L=MyCity; O=My company; OU=My Company;
    

CN=test.myserver.lan; [email protected]

  •    start date: 2012-02-06 10:15:29 GMT
    
  •    expire date: 2013-02-05 10:15:29 GMT
    
  •    common name: test.myserver.lan
    
  •    issuer: C=DE; ST=RLP; L=MyCity; O=My Company; OU=My Company;
    

CN=test.myserver.lan; [email protected]

  •    SSL certificate verify result: self signed certificate (18),
    

continuing anyway.

GET / HTTP/1.1
User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Host: test.myserver.lan
Accept: /

< HTTP/1.1 400 Bad Request
< Server: nginx/0.7.65
< Date: Fri, 10 Feb 2012 09:19:00 GMT
< Content-Type: text/html
< Content-Length: 253
< Connection: close
<

400 No required SSL certificate was sent

400 Bad Request

No required SSL certificate was sent
nginx/0.7.65 * Closing connection #0 * SSLv3, TLS alert, Client hello (1):

When I interprete the log files right, there is only a SSL handshake for
the server cert authentication?!?!?
Has anybody a hint where is the mistake?

Posted at Nginx Forum: