$ssl_client_verify not working?

Rafa_F · April 13, 2016, 2:02am

Hi, i was wanting to return a 403 when invalid client certificate
submitted,
however Nginx 1.9.6 returning 400 Bad Request, The SSL Certificate
Error.
Seems to return 403 fine when no certificate is submitted, but any clues
on
getting it to return a 403 work when invalid (signed by unauthorised CA)
certificate submitted.

Nginx server block -

server {
   listen       443 ssl;
   server_name  server.com;

   ssl_certificate   /etc/nginx/server.crt;
   ssl_certificate_key  /etc/nginx/server.key;

   ssl_client_certificate  /etc/nginx/client_ca.crt;
   ssl_verify_client optional;
   ssl_verify_depth 2;

   if ($ssl_client_verify != SUCCESS ) {
   return 403;
   }

Posted at Nginx Forum:

Ramon_Ali · April 13, 2016, 8:32am

… i also tried adding below, but still wouldn’t return a 403?

   error_page 400 =403 /;

Posted at Nginx Forum:

Ramon_Ali · April 14, 2016, 7:38pm

Does anyone know of any way to re-map a 400 response code?

Posted at Nginx Forum:

Ramon_Ali · April 14, 2016, 9:09pm

On 13 Apr 2016, at 03:01, Ramon_Ali [email protected] wrote:

  server_name  server.com;
  }

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors

error_page 495 496 =403 /403.html;

–
Igor S.

Ramon_Ali · April 14, 2016, 11:52pm

Ahh, as i wasn’t seeing the 495 and 496 codes in the logs, only 400 i
had
assumed that what i needed to re-map. Using 495 and 496 works
wonderfully!

Thanks Igor.

2016/04/14 21:46:51 [info] 7#7: *1 client SSL certificate verify error:
(21:unable to verify the first certificate) while reading client request
headers, client: 142.22.213.199, server: server.jetstar.com, request:
“GET /
HTTP/1.1”, host: “server.com”
172.23.203.199 - - [14/Apr/2016:21:46:51 +0000] “GET / HTTP/1.1” 403 168
“-”
“curl/7.40.0” “-”“/C=AU/ST=NSW/L=Sydney/O=ex NSI/OU=HQ/CN=Ramon’s
Key/[email protected]” “/C=AU/ST=NSW/O=NSI/OU=HQ/CN=Cert
Authority/[email protected]”;“FAILED”

Posted at Nginx Forum: