Tongsuo-Project / Tongsuo

铜锁/Tongsuo is a Modern Cryptographic Primitives and Protocols Library
https://www.tongsuo.net
Apache License 2.0
1.15k stars 184 forks source link

谁配过ssl_crl,为啥我配置后,客户端得到400的状态码错误 #613

Open LRblazer opened 5 months ago

LRblazer commented 5 months ago

请教大佬

Homqyy commented 4 months ago

This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.

I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.

wolf-hunter404 commented 3 days ago

最近刚遇到这种问题,就是Homqyy的回答,CRL文件为pem格式,不光要带上客户端证书的CRL内容,还需要带上上级CA的CRL,一直到根,不区分先后顺序。因为tengine在加载CRL时,是遍历整个pem里的所有CRL,与颁发者做关联。然后在握手时会对整个证书链里的证书进行吊销检查。 使用CRL验证客户端证书有个弊端,就是你要保证CRL始终是未过期的,你要定时去获取新的CRL覆盖上去,一旦过期,握手也会失败,并且tengine无法关掉CRL过期检查。

-----BEGIN X509 CRL-----
CRL一的base64
-----END X509 CRL-----
-----BEGIN X509 CRL-----
CRL二的base64
-----END X509 CRL-----