Nginx configures SSL two-way authentication. The client failed to send certificate chain verification.

problem description

if you want to pass the nginx proxy EMQ server, the SSL two-way authentication is put on the nginx (the SSL two-way authentication is also put on the EMQ to shake hands. After the client sends the client hello, the server returns the alarm directly. (the handshake can be successfully started with 0x0017 in the supported groups extension in the client hello message, but the client hello message on the client cannot be modified. )
use nginx proxy tcp connection, and enable SSL two-way authentication on nginx. The server puts the root certificate and private key, and places the client root certificate (verify the client certificate chain). The client certificate uses a three-level certificate (root certificate-issue-> intermediate certificate-issue-> client certificate). The SSL connection fails. It is possible for the client to use an intermediate certificate to make an SSL connection with nginx.

the platform version of the problem and what methods you have tried

nginx version 1.15.8
nginx SSL partial configuration:

stream{
    upstream backend{
        server 127.0.0.1:1883;
    }
    upstream backend1{
        server 127.0.0.1:1883;
        server 127.0.0.1:1893;
        server 127.0.0.1:1903;
    }
    
  server {
            listen 8884;
            -sharpproxy_connect_timeout 150s;
            -sharpproxy_buffer_size 3M;
            -sharptcp_nodelay on;
            -sharpproxy_timeout 150s;
            proxy_pass backend1;
        }
  server {
            listen 8888 ssl;
            proxy_connect_timeout 50s;
            proxy_timeout 50s;
            proxy_pass backend;
            proxy_buffer_size 3M;
            ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers  HIGH:!aNULL:!MD5;
            ssl_certificate      D:/CERT/server-f/rootca.pem;
            ssl_certificate_key  D:/CERT/server-f/rootkey.pem;
            -sharpssl_session_timeout 10m;
            ssl_verify_depth 2;
            ssl_dhparam d:/dh-params.pem;
            ssl_client_certificate D:/CERT/client-f/rootca.pem;
            ssl_verify_client optional_no_ca;
       }

data capture package is as follows:

3

could you tell me how to configure nginx to pass my level 3 certificate chain? Or does nginx simply not support that the certificate chain sent by the client contains more than 3 certificates? Or is this not a nginx problem, but something else?

Jun.01,2022

nginx supports multi-level certificate verification, as long as you set the corresponding ssl_verify_depth .

I think you should configure the intermediate certificate (intermediate) on nginx, not the root certificate. Also, the CN and nginx domain names of the certificate must be the same.

possible problem points

  1. there is a problem with the certificate.
  2. there is a problem with nginx configuration, including domain name.
  3. there is a problem with client certificate verification.

you can roughly determine whether there is a problem with the server or the client by grabbing the wireshark packet, according to the sender of the TCP RST (reset) package.
or use the exclusion method to simplify the nginx configuration, proxy a HTTP server, and then use the curl command to test instead of the client.

< H2 > reference example < / H2 >

because the length is too long, move to the article "nginx proxy server configuration two-way certificate verification"
https://codeshelper.com/a/11...

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e99bd5-4753c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e99bd5-4753c.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?