problem description
if you want to pass the nginx proxy EMQ server, the SSL two-way authentication is put on the nginx (the SSL two-way authentication is also put on the EMQ to shake hands. After the client sends the client hello, the server returns the alarm directly. (the handshake can be successfully started with 0x0017 in the supported groups extension in the client hello message, but the client hello message on the client cannot be modified. )
use nginx proxy tcp connection, and enable SSL two-way authentication on nginx. The server puts the root certificate and private key, and places the client root certificate (verify the client certificate chain). The client certificate uses a three-level certificate (root certificate-issue-> intermediate certificate-issue-> client certificate). The SSL connection fails. It is possible for the client to use an intermediate certificate to make an SSL connection with nginx.
the platform version of the problem and what methods you have tried
nginx version 1.15.8
nginx SSL partial configuration:
stream{
upstream backend{
server 127.0.0.1:1883;
}
upstream backend1{
server 127.0.0.1:1883;
server 127.0.0.1:1893;
server 127.0.0.1:1903;
}
server {
listen 8884;
-sharpproxy_connect_timeout 150s;
-sharpproxy_buffer_size 3M;
-sharptcp_nodelay on;
-sharpproxy_timeout 150s;
proxy_pass backend1;
}
server {
listen 8888 ssl;
proxy_connect_timeout 50s;
proxy_timeout 50s;
proxy_pass backend;
proxy_buffer_size 3M;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_certificate D:/CERT/server-f/rootca.pem;
ssl_certificate_key D:/CERT/server-f/rootkey.pem;
-sharpssl_session_timeout 10m;
ssl_verify_depth 2;
ssl_dhparam d:/dh-params.pem;
ssl_client_certificate D:/CERT/client-f/rootca.pem;
ssl_verify_client optional_no_ca;
}
data capture package is as follows:
3
could you tell me how to configure nginx to pass my level 3 certificate chain? Or does nginx simply not support that the certificate chain sent by the client contains more than 3 certificates? Or is this not a nginx problem, but something else?