400 errors after upgrading to 1.14.0

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

400 errors after upgrading to 1.14.0

wld75
Our service uses 2-way ssl with our clients connecting to our systems. With
each new client we add their intermediate and root CA chain to the
concatenated certificates file used by ssl_client_certificate. We recently
upgraded to 1.14.0  (and the included modules) and now some, but not all of
our customers are unable to connect getting 400 errors. We've tried changing
the order of the certificates in the concatenated file but that didn't help.
It is happening across different certificate chains but not all. And all of
them worked fine prior to the upgrade.  

Has anyone else encountered this or is there something we should be doing
different in how we set up these certificates?

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281315,281315#msg-281315

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: 400 errors after upgrading to 1.14.0

Maxim Dounin
Hello!

On Wed, Sep 19, 2018 at 03:59:58PM -0400, kpuscas wrote:

> Our service uses 2-way ssl with our clients connecting to our systems. With
> each new client we add their intermediate and root CA chain to the
> concatenated certificates file used by ssl_client_certificate. We recently
> upgraded to 1.14.0  (and the included modules) and now some, but not all of
> our customers are unable to connect getting 400 errors. We've tried changing
> the order of the certificates in the concatenated file but that didn't help.
> It is happening across different certificate chains but not all. And all of
> them worked fine prior to the upgrade.  
>
> Has anyone else encountered this or is there something we should be doing
> different in how we set up these certificates?

There were no recent changes in nginx related to client
certificate validation.  On the other hand, there were changes in
OpenSSL - most notably, OpenSSL 1.1.0+ now by default rejects
MD5-signed certificates and/or certificates with less than
1024-bit RSA keys.

This might be the reason for problems you have with some
certificates, assuming you've upgraded not only nginx but also
switched to a newer OpenSSL library.

You may also want to take a look at nginx error logs.  When nginx
returns a 400 error, it logs the reason to the error log at the
"info" level.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: 400 errors after upgrading to 1.14.0

wld75
Thanks Maxim,

Looks like the issue was a bad root cert in the chain. The CN was identical
to what the intermediate called out but it wasn't the one that had issued
the intermediate. Also didn't know that setting error to info would give us
the ssl error information. We had it set to debug but couldn't figure
anything out from that.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281315,281332#msg-281332

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx