JoakimR Wrote: ------------------------------------------------------- > Whitout any configuretion it's imposible to do much rather than refer > you to nginx.org documentation > http://nginx.org/en/docs/http/ngx_http_ssl_module.html
The configuration in the vhost file is: ssl on; ssl_certificate /etc/ssl/private/server.crt; ssl_certificate_key /etc/ssl/private/server.key; ssl_client_certificate /path/to/application/var/ssl/ca/ca.comb; ssl_verify_client optional; ssl_verify_depth 2; This is the output of debug level logging for a failed request (sensitive info replaced with generic words): 2017/02/19 14:17:37 [debug] 20917#20917: post event 000055D4E36D71A0 2017/02/19 14:17:37 [debug] 20917#20917: delete posted event 000055D4E36D71A0 2017/02/19 14:17:37 [debug] 20917#20917: accept on 0.0.0.0:443, ready: 1 2017/02/19 14:17:37 [debug] 20917#20917: posix_memalign: 000055D4E368EA20:512 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 accept: xx.xx.xx.xx:62856 fd:10 2017/02/19 14:17:37 [debug] 20917#20917: *94 event timer add: 10: 60000:1487531917179 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 epoll add event: fd:10 op:1 ev:80002001 2017/02/19 14:17:37 [debug] 20917#20917: accept() not ready (11: Resource temporarily unavailable) 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 http check ssl handshake 2017/02/19 14:17:37 [debug] 20917#20917: *94 http recv(): 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 https ssl handshake: 0x16 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: spdy/3.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: spdy/3 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: http/1.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN selected: http/1.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL server name: "our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL handshake handler: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL handshake handler: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:0, error:26, depth:1, subject:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:2, subject:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:1, subject:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:0, subject:"/C=US/ST=State/L=City/O=OUR-COMPANY Client Certificate/CN=OUR-COMPANY-MUS-58A9EEA5", issuer:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA" 2017/02/19 14:17:37 [debug] 20917#20917: *94 ssl new session: F89EA5F8:32:1533 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD" 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 http wait request handler 2017/02/19 14:17:37 [debug] 20917#20917: *94 malloc: 000055D4E3702330:1024 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 free: 000055D4E3702330 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 http wait request handler 2017/02/19 14:17:37 [debug] 20917#20917: *94 malloc: 000055D4E3702330:1024 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: 313 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 posix_memalign: 000055D4E369B8A0:4096 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 http process request line 2017/02/19 14:17:37 [debug] 20917#20917: *94 http request line: "GET / HTTP/1.1" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http uri: "/" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http args: "" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http exten: "" 2017/02/19 14:17:37 [debug] 20917#20917: *94 posix_memalign: 000055D4E3703F20:4096 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 http process request header line 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Host: our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept-Language: en-us" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Connection: keep-alive" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept-Encoding: gzip, deflate" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header done 2017/02/19 14:17:37 [info] 20917#20917: *94 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client: xx.xx.xx.xx, server: our.server.com, request: "GET / HTTP/1.1", host: "our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http finalize request: 495, "/?" a:1, c:1 2017/02/19 14:17:37 [debug] 20917#20917: *94 event timer del: 10: 1487531917179 2017/02/19 14:17:37 [debug] 20917#20917: *94 http special response: 495, "/?" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http set discard body 2017/02/19 14:17:37 [debug] 20917#20917: *94 xslt filter header 2017/02/19 14:17:37 [debug] 20917#20917: *94 HTTP/1.1 400 Bad Request Server: nginx Date: Sun, 19 Feb 2017 19:17:37 GMT Content-Type: text/html Content-Length: 224 Connection: close Beyond that, what information would be helpful? Is there any way to get more info about the SSL problem beyond log level debug? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272444,272509#msg-272509 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
