how to force/send TLS Certificate Request for all client connections, in client-side ssl-verification?

PGNet Dev Tue, 02 Jul 2019 20:53:57 -0700

I've setup my nginx server with self-signed SSL server-side certs, using my 
own/local CA.


Without client-side verifications, i.e. just an unverified-TLS connection, 
all's good.

If I enable client-side SSL cert verification with,

        ssl_certificate           "ssl/example.com.server.crt.pem";
        ssl_certificate_key       "ssl/example.com.server.key.pem";
        ssl_verify_client on;
        ssl_client_certificate    "ssl_cert_dir/CA_intermediate.crt.pem";
        ssl_verify_depth 2;

, a connecting android app is failing on connect, receiving FROM the nginx 
server,

        HTTP RESPONSE:
        Response{protocol=http/1.1, code=400, message=Bad Request, 
url=https://proxy.example.com/dav/myuser%40example.com/3d75dc22-8afc-1946-5b3f-4d84e9b28432/}
        <html>
        <head><title>400 No required SSL certificate was sent</title></head>
        <body>
        <center><h1>400 Bad Request</h1></center>
        <center>No required SSL certificate was sent</center>
        <hr><center>nginx</center>
        </body>
        </html>

I've been unsuccessful so far using tshark/ssldump to decrypt the SSL 
handshake; I suspect (?) it's because my certs are ec signed.  Still working on 
that ...

In 'debug' level nginx logs, I see

        2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'35:5'
        2019/06/30 21:58:14 [debug] 41777#41777: *7 s:0 in:'2F:/'
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http uri: 
"/dav/[email protected]/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http args: ""
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http exten: ""
        2019/06/30 21:58:14 [debug] 41777#41777: *7 posix_memalign: 
0000558C35B3C840:4096 @16
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http process request header 
line
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Depth: 0"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Content-Type: 
application/xml; charset=utf-8"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: 
"Content-Length: 241"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Host: 
proxy.example.com"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: "Connection: 
Keep-Alive"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: 
"Accept-Encoding: gzip"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: 
"Accept-Language: en-US, en;q=0.7, *;q=0.5"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header: 
"Authorization: Basic 1cC5...WUVi"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http header done
        2019/06/30 21:58:14 [info] 41777#41777: *7 client sent no required SSL 
certificate while reading client request headers, client: 10.0.1.235, server: 
proxy.example.com, request: "PROPFIND 
/dav/myuser%40example.com/7a59f94d-6be5-18ef-4248-b8a2867fe445/ HTTP/1.1", 
host: "proxy.example.com"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http finalize request: 496, 
"/dav/[email protected]/7a59f94d-6be5-18ef-4248-b8a2867fe445/?" a:1, c:1
        2019/06/30 21:58:14 [debug] 41777#41777: *7 event timer del: 15: 
91237404
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http special response: 496, 
"/dav/[email protected]/7a59f94d-6be5-18ef-4248-b8a2867fe445/?"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 http set discard body
        2019/06/30 21:58:14 [debug] 41777#41777: *7 headers more header filter, 
uri "/dav/[email protected]/7a59f94d-6be5-18ef-4248-b8a2867fe445/"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 charset: "" > "utf-8"
        2019/06/30 21:58:14 [debug] 41777#41777: *7 HTTP/1.1 400 Bad Request
        Date: Mon, 01 Jul 2019 04:58:14 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 230
        Connection: close
        Secure: Groupware Server
        X-Content-Type-Options: nosniff

In comms with the app vendor, I was asked

        Does your proxy send TLS Certificate Request

                https://tools.ietf.org/html/rfc5246#section-7.4.4?

        ... the TLS stack which is used ... won't send certificates 
preemptively, but only when they're requested. In my tests, client certificates 
are working as expected, but ONLY if the server explicitly requests them.


I don't recognize the preemptive request above.

DOES nginx send such a TLS Certificate Request by default?  Is there a 
required, additional config to force that request?
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

how to force/send TLS Certificate Request for all client connections, in client-side ssl-verification?

Reply via email to