$ssl_client_verify not working?

Hi, i was wanting to return a 403 when invalid client certificate
submitted,
however Nginx 1.9.6 returning 400 Bad Request, The SSL Certificate
Error.
Seems to return 403 fine when no certificate is submitted, but any clues
on
getting it to return a 403 work when invalid (signed by unauthorised CA)
certificate submitted.

Nginx server block -

server {
   listen       443 ssl;
   server_name  server.com;

   ssl_certificate   /etc/nginx/server.crt;
   ssl_certificate_key  /etc/nginx/server.key;

   ssl_client_certificate  /etc/nginx/client_ca.crt;
   ssl_verify_client optional;
   ssl_verify_depth 2;

   if ($ssl_client_verify != SUCCESS ) {
   return 403;
   }

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,266136,266136#msg-266136

… i also tried adding below, but still wouldn’t return a 403?

   error_page 400 =403 /;

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,266136,266138#msg-266138

Does anyone know of any way to re-map a 400 response code?

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,266136,266185#msg-266185

On 13 Apr 2016, at 03:01, Ramon_Ali [email protected] wrote:

  server_name  server.com;
  }

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors

error_page 495 496 =403 /403.html;


Igor S.
http://nginx.com

Ahh, as i wasn’t seeing the 495 and 496 codes in the logs, only 400 i
had
assumed that what i needed to re-map. Using 495 and 496 works
wonderfully!

Thanks Igor.

2016/04/14 21:46:51 [info] 7#7: *1 client SSL certificate verify error:
(21:unable to verify the first certificate) while reading client request
headers, client: 142.22.213.199, server: server.jetstar.com, request:
“GET /
HTTP/1.1”, host: “server.com
172.23.203.199 - - [14/Apr/2016:21:46:51 +0000] “GET / HTTP/1.1” 403 168
“-”
“curl/7.40.0” “-”"/C=AU/ST=NSW/L=Sydney/O=ex NSI/OU=HQ/CN=Ramon’s
Key/[email protected]" “/C=AU/ST=NSW/O=NSI/OU=HQ/CN=Cert
Authority/[email protected]”;“FAILED”

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,266136,266191#msg-266191

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs