Nginx v1.10.0
Apache v2.2.23
Hi guys
I need to make a client side ssl authentication, between a NGINX (client) and an APACHE (server).
My goal is to protect a specific location on my APACHE server using a certificate for authorized users but I have a SSL renegotiation problem. (See APACHE/NGINX conf files)
By default, the server must be accessible so I specify ‘SSLVerifyClient none’ at the root. And the location I want to protect has ‘SSLVerifyClient require’ . The official documentation says that when the SSLVerifyClient is put inside a Location tag, “it forces a SSL renegotiation” (https://httpd.apache.org/docs/2.2/fr/mod/mod_ssl.html#sslverifyclient)
I made some research and found that the SSL renegotiation was desactivated on Nginx since v0.8.23. So, in the certificates exchange, when the APACHE ask for the NGINX certificate, SSL renegotiation fail. Indeed, I get the Apache log: “Re-negotiation handshake failed: Not accepted by client!?”
Do you have any idea how solve this issue? Can we “re-activate“ SSL renegotiation?
Thank's !!!
Here is my APACHE configuration:
Listen xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx:443>
DocumentRoot /appli/xxx/comp/html
SSLEngine on
SSLOptions +StdEnvVars
SSLCertificateFile certf.pem
SSLCertificateKeyFile key.key.pem
SSLVerifyClient none
<Location "/1.0/network/2">
SSLCACertificateFile DEV_chaine.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "xxx"
</Location>
ProxyPreserveHost On
ProxyPass /excluded !
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
</VirtualHost>
And here is my NGINX configuration:
Listen xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx:443>
DocumentRoot /appli/xxx/comp/html
SSLEngine on
SSLOptions +StdEnvVars
SSLCertificateFile certf.pem
SSLCertificateKeyFile key.key.pem
SSLVerifyClient none
<Location "/1.0/network/2">
SSLCACertificateFile DEV_chaine.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "xxx"
</Location>
ProxyPreserveHost On
ProxyPass /excluded !
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
</VirtualHost>
Apache v2.2.23
Hi guys
I need to make a client side ssl authentication, between a NGINX (client) and an APACHE (server).
My goal is to protect a specific location on my APACHE server using a certificate for authorized users but I have a SSL renegotiation problem. (See APACHE/NGINX conf files)
By default, the server must be accessible so I specify ‘SSLVerifyClient none’ at the root. And the location I want to protect has ‘SSLVerifyClient require’ . The official documentation says that when the SSLVerifyClient is put inside a Location tag, “it forces a SSL renegotiation” (https://httpd.apache.org/docs/2.2/fr/mod/mod_ssl.html#sslverifyclient)
I made some research and found that the SSL renegotiation was desactivated on Nginx since v0.8.23. So, in the certificates exchange, when the APACHE ask for the NGINX certificate, SSL renegotiation fail. Indeed, I get the Apache log: “Re-negotiation handshake failed: Not accepted by client!?”
Do you have any idea how solve this issue? Can we “re-activate“ SSL renegotiation?
Thank's !!!
Here is my APACHE configuration:
Listen xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx:443>
DocumentRoot /appli/xxx/comp/html
SSLEngine on
SSLOptions +StdEnvVars
SSLCertificateFile certf.pem
SSLCertificateKeyFile key.key.pem
SSLVerifyClient none
<Location "/1.0/network/2">
SSLCACertificateFile DEV_chaine.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "xxx"
</Location>
ProxyPreserveHost On
ProxyPass /excluded !
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
</VirtualHost>
And here is my NGINX configuration:
Listen xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx:443>
DocumentRoot /appli/xxx/comp/html
SSLEngine on
SSLOptions +StdEnvVars
SSLCertificateFile certf.pem
SSLCertificateKeyFile key.key.pem
SSLVerifyClient none
<Location "/1.0/network/2">
SSLCACertificateFile DEV_chaine.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "xxx"
</Location>
ProxyPreserveHost On
ProxyPass /excluded !
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
</VirtualHost>