stackoom
  简体   繁体   中英

Client SSL with an Intermediate Certificate

 原文  2013-12-02 06:50:12       ssl/ nginx

Question

I have a self-signed root certificate and an intermediate certificated signed by that root. Basically something like this: 

.
└── master (CA)
    └── servant1 (CA)

I have a few client certificates which are derived from the master->servant1 certificate chain: 

.
└── master (CA)
    └── servant1 (CA)
        ├── client1
        ├── client2
        └── client3

I'm looking to authenticate these client certificates in nginx and I'm having a lot of trouble doing so.

Here's my nginx configuration: 

upstream luci {
    server localhost:8080;
}

server {
    listen                  127.0.0.1:80;
    server_name             myserver;

    return 301 https://$host$request_uri;
}

server {
    listen                  127.0.0.1:443;
    server_name             myserver;

    ssl                     on;
    ssl_certificate         /etc/nginx/certs/myserver.crt;
    ssl_certificate_key     /etc/nginx/certs/myserver.key;

    ssl_session_timeout 5m;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.1;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ECDH+3DES:!DH+3DES:!RSA+3DES:!aNULL:!MD5:!DSS;

    ssl_client_certificate /etc/nginx/certs/servant1-ca-chain.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

    location / {
        proxy_pass http://luci;
    }
}

This should be pretty straightforward. All client certificates signed by the intermediate servant1 CA should be allowed to connect to nginx.

However, when I attempt to access the server with these client certificates, I get this:

一种

(obviously an incredibly detailed and helpful error)

I find this in my logs: 

2013/12/01 22:46:18 [alert] 7478#0: *5 ignoring stale global SSL error (SSL: error:0407006A:lib(4):func(112):reason(106) error:04067072:lib(4):func(103):reason(114) error:0D0C5006:lib(13):func(197):reason(6)) while reading client request line, client: 192.168.1.208, server: myserver

Useful information here is:

ignoring stale global SSL error

What's going wrong and how can I fix it?

1 answers

solution1
 0 ACCPTED  2013-12-05 20:17:00

I had generated my certificates using OpenSSL and most probably screwed something up along the way.

My recommendation is to use XCA when at all possible for generating SSL certificates, as it's incredibly secure, feature-complete, and makes it easy to manage public and private keys, certificates, CSRs, and more.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL handshake with intermediate certificate SSL Intermediate CA used to create and sign client certificate SSL Certificate Not Trusted - Intermediate Certificate IBM Bluemix SSL Intermediate Certificate SSL: Intermediate certificate compromised — Can they unrevoke a certificate? SSL certificate error by intermediate/chain certificate Java SSL server not accepting intermediate certificate chain How to integrate in DataStax opscenter a ssl intermediate certificate? MongoDB ssl in java works only with intermediate certificate Haproxy ssl configuration - install root and intermediate certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM