Hi,
We are set up a web Service with the Client Certificates as follow:
ssl on;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
ssl_certificate /etc/nginx/vhosts.d/ssl/bundle-cert.crt;
ssl_certificate_key /etc/nginx/vhosts.d/ssl/cert.key;
ssl_stapling on;
ssl_stapling_responder http://ocsp.xxxx.com/;
#ssl_stapling_verify on;
resolver 8.8.8.8;
ssl_verify_client optional;
ssl_verify_depth 3;
ssl_client_certificate /etc/nginx/vhosts.d/ssl/ClientCA.pem;
location / {
try_files $uri $uri /index.php;
}
location ~* \.php$ {
fastcgi_pass cifcgi;
include fastcgi_ssl.conf;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /home/path/to/public_html/$fastcgi_script_name;
fastcgi_param PLATFORM preview;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
}
}
NGINX
nginx version: nginx/1.4.4
built by gcc 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux)
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --with-http_ssl_module --error-log-path=/var/log/error.log --http-log-path=/var/log/nginx/access.log --user=nginx --group=www --with-pcre=/root/Download/pcre-8.34 --add-module=/root/Download/ngx_http_redis-0.3.7 --with-debug
OpenSSL 1.0.1e 11 Feb 2013
RESULTS:
Authentication works, Client Cert is accepted if valid.
PROBLEM:
Certificate Chain is not visible on the client side.
We are trying to achieve the same the Apache directive SSLOptions +ExportCertData does. The full Certificate Chain is available in SSL_CLIENT_CERT.
Any help will be much appreciated
We are set up a web Service with the Client Certificates as follow:
ssl on;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
ssl_certificate /etc/nginx/vhosts.d/ssl/bundle-cert.crt;
ssl_certificate_key /etc/nginx/vhosts.d/ssl/cert.key;
ssl_stapling on;
ssl_stapling_responder http://ocsp.xxxx.com/;
#ssl_stapling_verify on;
resolver 8.8.8.8;
ssl_verify_client optional;
ssl_verify_depth 3;
ssl_client_certificate /etc/nginx/vhosts.d/ssl/ClientCA.pem;
location / {
try_files $uri $uri /index.php;
}
location ~* \.php$ {
fastcgi_pass cifcgi;
include fastcgi_ssl.conf;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /home/path/to/public_html/$fastcgi_script_name;
fastcgi_param PLATFORM preview;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
}
}
NGINX
nginx version: nginx/1.4.4
built by gcc 4.7.2 20130108 [gcc-4_7-branch revision 195012] (SUSE Linux)
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --with-http_ssl_module --error-log-path=/var/log/error.log --http-log-path=/var/log/nginx/access.log --user=nginx --group=www --with-pcre=/root/Download/pcre-8.34 --add-module=/root/Download/ngx_http_redis-0.3.7 --with-debug
OpenSSL 1.0.1e 11 Feb 2013
RESULTS:
Authentication works, Client Cert is accepted if valid.
PROBLEM:
Certificate Chain is not visible on the client side.
We are trying to achieve the same the Apache directive SSLOptions +ExportCertData does. The full Certificate Chain is available in SSL_CLIENT_CERT.
Any help will be much appreciated