Client Authentication Problem when access from android phone

Hi there,

I’m trying to set up reverse proxy server with client authentication.

— Environment —
My CA is 2 tier.
Root CA - intermediate CA - Client Certificate.

— Problem Discripton —
When I accessed proxy server from laptop pc,
only the correct client certificate was suggested,
and authenticate successfully.

But when I accessed proxy server from android phone,
ALL installed client certificate was suggested,
and if I choose *wrong client certificate authenticate successfully.

*wrong client certificate : certificate that Root CA is same but
intermediate CA is different,

My nginx configuration is as follows.

ssl on;
ssl_certificate cert/servercert;
ssl_certificate_key cert/serverkey;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;

ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate cert/intermediate.cert;
ssl_trusted_certificate cert/intermediate_and_root.cert;

— END

Best Regards,
atsushi

Posted at Nginx Forum:

Hello!

On Fri, Jan 08, 2016 at 03:33:56AM -0500, atsushi2550 wrote:

only the correct client certificate was suggested,
and authenticate successfully.

But when I accessed proxy server from android phone,
ALL installed client certificate was suggested,
and if I choose *wrong client certificate authenticate successfully.

*wrong client certificate : certificate that Root CA is same but
intermediate CA is different,

It’s not possible to limit client authentication to only allow
certs issued by an intermediate CA. All certificates which can be
verified up to the trusted root CA are allowed.

If you need to additionally limit access to only allow certain
certs, you can do so based on variables provided by the SSL
module, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

Something like

if ($ssl_client_i_dn != "...") {
    return 403;
}

should be appropriate in your case.


Maxim D.
http://nginx.org/

Dear Maxim D.

Hello !

Thank you for quick response.
I understand your answer.

Add
if ($ssl_client_i_dn != “…”) {
return 403;
}

and I can limit access from issued intermediate CA.

Regards,
Atsushi

Posted at Nginx Forum: