Client certificate authentication with multiple CA but single CRL

classic Classic list List threaded Threaded
2 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

Client certificate authentication with multiple CA but single CRL

xrd
Hi,

My current nginx configuration has 3 CAs concatenated into a PEM file called
/etc/ngx_cas. However, only one of these CAs is configured with a CRL which
is stored in /etc/ngx_crls.

        ssl_client_certificate     /etc/ngx_cas;
        ssl_verify_client          strict;
        ssl_crl                          /etc/ngx_crls;

When I make a request using curl, I get a 400 Bad request with SSL
certificate error, even though the client certificate is valid and signed by
one of the 3 CAs recognized by NGINX. This CA does not have a CRL tied to
it. Upon checking logs, this is the error that is thrown:
       2019/10/09 21:40:28 [info] 25610#0: *1 client SSL certificate verify
error: (3:unable to get certificate CRL) while reading client request
headers,

However, when I remove the configured CRL from NGINX, the curl request goes
through and authentication is successful.

Is there any limitation on CRLs where if one trustpoint's CRL is configured,
then CRL for all should be configured as well?

Please let me know if I am missing something.

Thanks.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285834,285834#msg-285834

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Client certificate authentication with multiple CA but single CRL

Maxim Dounin
Hello!

On Wed, Oct 09, 2019 at 05:55:31PM -0400, vz19 wrote:

> My current nginx configuration has 3 CAs concatenated into a PEM file called
> /etc/ngx_cas. However, only one of these CAs is configured with a CRL which
> is stored in /etc/ngx_crls.
>
>         ssl_client_certificate     /etc/ngx_cas;
>         ssl_verify_client          strict;
>         ssl_crl                          /etc/ngx_crls;
>
> When I make a request using curl, I get a 400 Bad request with SSL
> certificate error, even though the client certificate is valid and signed by
> one of the 3 CAs recognized by NGINX. This CA does not have a CRL tied to
> it. Upon checking logs, this is the error that is thrown:
>        2019/10/09 21:40:28 [info] 25610#0: *1 client SSL certificate verify
> error: (3:unable to get certificate CRL) while reading client request
> headers,
>
> However, when I remove the configured CRL from NGINX, the curl request goes
> through and authentication is successful.
>
> Is there any limitation on CRLs where if one trustpoint's CRL is configured,
> then CRL for all should be configured as well?

Yes, as long as ssl_crl is configured, nginx uses the
X509_V_FLAG_CRL_CHECK_ALL flag, which implies that verification
against CA certificates which does not have CRLs will fail.  That
is, you have to configure CRLs for all CA certificates you use
(including intermediate CAs if there are any).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx