Tongsuo-Project / Tongsuo

铜锁/Tongsuo is a Modern Cryptographic Primitives and Protocols Library
https://www.tongsuo.net
Apache License 2.0
1.14k stars 183 forks source link

谁配过ssl_crl,为啥我配置后,客户端得到400的状态码错误 #613

Open LRblazer opened 5 months ago

LRblazer commented 5 months ago

请教大佬

Homqyy commented 4 months ago

This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.

I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.