Hello! On Tue, Jan 04, 2022 at 11:10:33AM +0000, Marti, Ueli (Marin) wrote:
> Hi, > i am trying to setup nginx for OCSP client certificate verification and have > troubles getting it to work with chained CA's. > My setup is as follows, all referenced files are in the attached archive. > - RootCa (pki/root/RootCa*.*): Self signed root CA certificate > - IntermediateCa (pki/intermediate/IntermediateCa*.*): Intermediate CA > certificate signed by RootCa > - ServerCertificate (pki/intermediate/ ServerCertificate *.*): Server > certificate, signed by Intermediate CA > - IntermediateClientA (pki/intermediate/IntermediateClientA*.*): Intermediate > client certificate A, signed by Intermediate CA (password for p12: umtest) > - IntermediateClientB (pki/intermediate/IntermediateClientB*.*): Intermediate > client certificate B, signed by Intermediate CA, REVOKED (password for p12: > umtest) > - IntermediateOcspResponder (pki/intermediate/ IntermediateOcspResponder > *.*): Intermediate OCSP responder certificate, extendedKeyUsage=OCSPSigning, > signed by Intermediate CA > > - nginx 1.20.2 runs on a Manjaro virtual machine > - openssl ocsp responder runs on the same Manjaro box, port 8080 (started > with pki/startOcspResponder.sh): > openssl ocsp -index intermediate/index.txt -port 8080 -rsigner > intermediate/IntermediateOcspResponderCert.pem -rkey > intermediate/IntermediateOcspResponderKey.pem -CA > intermediate/IntermediateChainCaCert.pem -text & > > nginx mTls configuration is as follows (full nginx.conf attached): > ssl_ocsp on; > ssl_verify_client on; > ssl_client_certificate > /etc/nginx/pki/intermediate/IntermediateChainCaCert.pem; > ssl_ocsp_responder http://127.0.0.1:8080; > ssl_verify_depth 2; > > I am trying to connect from Chrome, running on the Windows host, using > alternatively Client A/B certificates. > > With the above configuration, connection with Client A fails, which is NOT > expected, Client A should be able to connect. > nginx error.log indicates: > 2022/01/04 10:06:29 [error] 2920#2920: *4 OCSP_basic_verify() failed (SSL: > error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted) while > requesting certificate status, responder: 127.0.0.1, peer: 127.0.0.1:8080 > > Connection with Client B fails too, this is expected as Client B certificate > is revoked, > nginx error.log indicates: > 2022/01/04 10:06:42 [info] 2920#2920: *14 client SSL certificate verify > error: certificate revoked while reading client request headers, client: > 192.168.1.115, server: localhost, request: "GET / HTTP/1.1", host: > "192.168.1.110" > > when changing nginx configuration to: > ssl_ocsp leaf; > everything works as expected, Client A can connect, Client B not. So the OCSP check of the intermediate CA certificate is not working. Given you only have one OCSP responder running, which is only capable of signing responses for the intermediate CA, this looks like an expected result. Have you tried to also run OCSP responder for the root CA, so the intermediate CA certificate can be checked? [...] -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
