Have you tried increasing the depth? ssl_verify_depth 3;
> On 4 Jan 2022, at 15:10, Marti, Ueli (Marin) <ueli.ma...@ch.glory-global.com> > wrote: > > Hi, > i am trying to setup nginx for OCSP client certificate verification and have > troubles getting it to work with chained CA's. > My setup is as follows, all referenced files are in the attached archive. > - RootCa (pki/root/RootCa*.*): Self signed root CA certificate > - IntermediateCa (pki/intermediate/IntermediateCa*.*): Intermediate CA > certificate signed by RootCa > - ServerCertificate (pki/intermediate/ ServerCertificate *.*): Server > certificate, signed by Intermediate CA > - IntermediateClientA (pki/intermediate/IntermediateClientA*.*): Intermediate > client certificate A, signed by Intermediate CA (password for p12: umtest) > - IntermediateClientB (pki/intermediate/IntermediateClientB*.*): Intermediate > client certificate B, signed by Intermediate CA, REVOKED (password for p12: > umtest) > - IntermediateOcspResponder (pki/intermediate/ IntermediateOcspResponder > *.*): Intermediate OCSP responder certificate, extendedKeyUsage=OCSPSigning, > signed by Intermediate CA > > - nginx 1.20.2 runs on a Manjaro virtual machine > - openssl ocsp responder runs on the same Manjaro box, port 8080 (started > with pki/startOcspResponder.sh): > openssl ocsp -index intermediate/index.txt -port 8080 -rsigner > intermediate/IntermediateOcspResponderCert.pem -rkey > intermediate/IntermediateOcspResponderKey.pem -CA > intermediate/IntermediateChainCaCert.pem -text & > > nginx mTls configuration is as follows (full nginx.conf attached): > ssl_ocsp on; > ssl_verify_client on; > ssl_client_certificate > /etc/nginx/pki/intermediate/IntermediateChainCaCert.pem; > ssl_ocsp_responder http://127.0.0.1:8080; > ssl_verify_depth 2; > > I am trying to connect from Chrome, running on the Windows host, using > alternatively Client A/B certificates. > > With the above configuration, connection with Client A fails, which is NOT > expected, Client A should be able to connect. > nginx error.log indicates: > 2022/01/04 10:06:29 [error] 2920#2920: *4 OCSP_basic_verify() failed (SSL: > error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted) while > requesting certificate status, responder: 127.0.0.1, peer: 127.0.0.1:8080 > > Connection with Client B fails too, this is expected as Client B certificate > is revoked, > nginx error.log indicates: > 2022/01/04 10:06:42 [info] 2920#2920: *14 client SSL certificate verify > error: certificate revoked while reading client request headers, client: > 192.168.1.115, server: localhost, request: "GET / HTTP/1.1", host: > "192.168.1.110" > > when changing nginx configuration to: > ssl_ocsp leaf; > everything works as expected, Client A can connect, Client B not. > > Trying ocsp verification dircetly using openssl cli, works as expected as > well: > openssl ocsp -issuer intermediate/IntermediateCaCert.pem -CAfile > intermediate/IntermediateChainCaCert.pem -cert > intermediate/IntermediateClientACert.pem -url http://127.0.0.1:8080 > Response verify OK > intermediate/IntermediateClientACert.pem: good > This Update: Jan 4 09:20:56 2022 GMT > > openssl ocsp -issuer intermediate/IntermediateCaCert.pem -CAfile > intermediate/IntermediateChainCaCert.pem -cert > intermediate/IntermediateClientBCert.pem -url http://127.0.0.1:8080 > Response verify OK > intermediate/IntermediateClientBCert.pem: revoked > This Update: Jan 4 09:21:37 2022 GMT > Revocation Time: Dec 23 09:33:07 2021 GMT > > How do i need to configure nginx to make OCSP validation working for the > certificate chain, not only the leaf ? > Thanks > This e-mail and any files attached are strictly confidential, may be legally > privileged and are intended solely for the addressee. If you are not the > intended recipient please notify the sender immediately by return email and > then delete the e-mail and any attachments immediately. The views and or > opinions expressed in this e-mail are not necessarily the views of Glory Ltd, > Glory Global Solutions Limited or any of their subsidiaries or affiliates and > the GLORY Group of companies, their directors, officers and employees make no > representation about and accept no liability for its accuracy or > completeness. You should ensure that you have adequate virus protection as > the GLORY Group of companies do not accept liability for any viruses. Glory > Global Solutions Limited Registered No. 07945417 and Glory Global Solutions > (International) Limited Registered No 6569621 are both registered in England > and Wales with their registered office at: Infinity View, 1 Hazelwood, Lime > Tree Way, Chineham, Basingstoke, Hampshire RG24 8WZ, United Kingdom > <nginx_pki.tar.gz>_______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
