Join Log in
Score:0
rmacian avatar Server

Nginx give ssl_client_verify ok with expired client certificate

mx flag
rmacian

I am testing mTLS with nginx ingress and I have a working scenario. Now I'm trying to see what happens with an expired client certificate:

Validity
  Not Before: Oct 13 20:05:00 2022 GMT
  Not After : Oct 13 21:05:00 2022 GMT

Curl's output is:

* Server certificate:
*  subject: C=ES; ST=Madrid; L=Madrid; O=My company; OU=My OU
*  start date: Oct 12 09:31:00 2022 GMT
*  expire date: Oct 10 09:31:00 2028 GMT
*  subjectAltName: host "thirdparties.mydomain.com" matched cert's "thirdparties.mydomain.com"
*  issuer: C=ES; L=Madrid; O=My company; OU=My OU; CN=Thirdparties CA
*  SSL certificate verify ok.
> POST /foo HTTP/1.1
> Host: thirdparties.mycompany.com
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 1012
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.21.5
< Date: Fri, 14 Oct 2022 16:47:30 GMT
< Content-Type: text/html
< Content-Length: 215
< Connection: close
<
<html>
<head><title>400 The SSL certificate error</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.21.5</center>
</body>
</html>

The nginx is giving the SSL certificate as OK so I cannot use the $ssl_client_verify variable for my purpose of giving a custom error page in json format.

I need to give the response always in json format. Customizing a 400 error page is not possible, any attempts to capture the error have been useless and always returns the error in the same format. This is my virtualserver spec

spec:
  host: thirdparties.mycompany.com
  policies:
  - name: nginx-virtualserver-thirdparties-policy
  routes:
  - action:
      pass: myapi-api
    location-snippets: if ($ssl_client_verify != SUCCESS) { return 495; }
    path: /foo
  - action:
      return:
        body: |
          {\"code\": \"BAD_REQUEST\", \"message\": \"Client certificate error\"}
        code: 495
        type: application/json
    path: /bar # force error even with good certificate
  server-snippets: |
    if ($ssl_client_verify != SUCCESS) {
      return 495;
    }
  tls:
    secret: nginx-virtualserver-thirdparties
  upstreams:
  - name: my-api
    port: 8000
    service: my-api
368
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.