Welcome! Log In Create A New Profile

Advanced

400 bad request with ssl_verify_client optional

Posted by Danomi Czaski 
Danomi Czaski
400 bad request with ssl_verify_client optional
June 28, 2018 02:30AM
I get 400 bad request when client certs are used early even though I
have ssl_verify_client optional.

nginx: [info] 9612#0: *338 client SSL certificate verify error:
(9:certificate is not yet valid) while reading client request headers,

Is there anyway to ignore the time check?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sergey Kandaurov
Re: 400 bad request with ssl_verify_client optional
June 28, 2018 12:10PM
> On 28 Jun 2018, at 03:25, Danomi Czaski <[email protected]> wrote:
>
> I get 400 bad request when client certs are used early even though I
> have ssl_verify_client optional.
>
> nginx: [info] 9612#0: *338 client SSL certificate verify error:
> (9:certificate is not yet valid) while reading client request headers,
>
> Is there anyway to ignore the time check?

No way, but you may want to try “optional_no_ca” if it’s also not trusted.

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: 400 bad request with ssl_verify_client optional
June 28, 2018 03:30PM
Hello!

On Wed, Jun 27, 2018 at 08:25:38PM -0400, Danomi Czaski wrote:

> I get 400 bad request when client certs are used early even though I
> have ssl_verify_client optional.
>
> nginx: [info] 9612#0: *338 client SSL certificate verify error:
> (9:certificate is not yet valid) while reading client request headers,
>
> Is there anyway to ignore the time check?

The only thing you can do if client presents an invalid certificate is
to handle this via the error_page directive, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors

In the error_page you can even recover to normal request handling,
but I wouldn't recommend doing this, as this can easily result in
security problems if a configuration uses $ssl_client_*
variables without checking $ssl_client_verify first.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login