Ssl stapling, verification fails

Hi.

I’m trying to get nginx 1.6.2 to authenticate users using their client
certificates.

I’m using this configuration (besides usual SSL settings, which are
proved
to work):

ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;

trusted.pem contains 3 CA certificates: test CA and 2 production CA
(main
and intermediate).
To pass verification data to the application I’m using

fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;

And here comes the issue: when using test CA and test cerificate, I’m
getting X-SSL-Verified: SUCCESS, but when using production ones, I’m
getting
X-SSL-Verified: FAILED. You can say that there’s a problem in my
certificate
bunch, but I tried to verify if the production certificate is really
issued
by the CA that I think about:

openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK

Looks like it passes the verification. trusted.pem is the same that
nginx
uses. In the same time nginx thinks that certificate doesn’t pass the
test.
Why can this happen ? I’ve also tried setting ‘ssl_verify_client on;’ -
the
only difference that I get the 400 answer, because the verification
fails
explicitely.

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,258480,258480#msg-258480

Hello!

On Wed, Apr 29, 2015 at 02:38:24AM -0400, drookie wrote:

ssl_verify_client optional_no_ca;
And here comes the issue: when using test CA and test cerificate, I’m
Why can this happen ? I’ve also tried setting ‘ssl_verify_client on;’ - the
only difference that I get the 400 answer, because the verification fails
explicitely.

Try looking into the error log, it should have details at the info
level.

Most likely, the problem is that you are trying to use
intermediate CAs with the default value of ssl_verify_depth, see
http://nginx.org/r/ssl_verify_depth.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs