Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

谁配过ssl_crl,为啥我配置后,客户端得到400的状态码错误 #613

Open
LRblazer opened this issue Jun 6, 2024 · 2 comments

Comments

@LRblazer
Copy link

LRblazer commented Jun 6, 2024

请教大佬

@Homqyy
Copy link

Homqyy commented Jun 28, 2024

This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.

I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.

@wolf-hunter404
Copy link

最近刚遇到这种问题,就是Homqyy的回答,CRL文件为pem格式,不光要带上客户端证书的CRL内容,还需要带上上级CA的CRL,一直到根,不区分先后顺序。因为tengine在加载CRL时,是遍历整个pem里的所有CRL,与颁发者做关联。然后在握手时会对整个证书链里的证书进行吊销检查。
使用CRL验证客户端证书有个弊端,就是你要保证CRL始终是未过期的,你要定时去获取新的CRL覆盖上去,一旦过期,握手也会失败,并且tengine无法关掉CRL过期检查。

-----BEGIN X509 CRL-----
CRL一的base64
-----END X509 CRL-----
-----BEGIN X509 CRL-----
CRL二的base64
-----END X509 CRL-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants