Hello Forum,
Anyone ahs an idea how to allow (force) ssl_verify_client? I have done everything that was requested by the manuals, but if I set ssl_verify_client on, then the page recieves a 403, like I couldn't verify the client. This is mainly needed to make braintree payment method available, if anyone have encountered them before.
Can you please help me out with this?
My releated lines in my config file are:
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_client_certificate /etc/nginx/ssl/RapidSSL-CA.crt;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
And inside my first location, I have:
if ($ssl_client_verify != SUCCESS) {
return 403;
}
And before you say: I know IF IS EVIL :) But this one worked like a charm, so I wish to keep it if I can. OFC if I have to remove, but it makes the website working, then so be it.
Regards:
Bert
Anyone ahs an idea how to allow (force) ssl_verify_client? I have done everything that was requested by the manuals, but if I set ssl_verify_client on, then the page recieves a 403, like I couldn't verify the client. This is mainly needed to make braintree payment method available, if anyone have encountered them before.
Can you please help me out with this?
My releated lines in my config file are:
ssl_certificate /etc/nginx/ssl/mycompany.hu.combined.crt;
ssl_certificate_key /etc/nginx/ssl/mycompany.hu.key;
ssl_client_certificate /etc/nginx/ssl/RapidSSL-CA.crt;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
And inside my first location, I have:
if ($ssl_client_verify != SUCCESS) {
return 403;
}
And before you say: I know IF IS EVIL :) But this one worked like a charm, so I wish to keep it if I can. OFC if I have to remove, but it makes the website working, then so be it.
Regards:
Bert