我们公司的Web应用程序使用客户端证书进行身份validation。 我们希望添加一些iPad客户端到库存盘点等等。客户端证书身份validation在桌面浏览器中工作得很好,但是当我们使用完全相同的证书在iPad上的桌面浏览器中工作时,我们得到这个错误nginx的:
7200#7200: *2 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers
Nginx向iPad客户端返回一个400错误的请求“The SSL Certificate Error”。
CA公共证书和中级CA证书安装在iPad上,并安装在服务器上。 再次,我们的设置,客户端证书身份validation对桌面浏览器正常工作。
这是iPad问题,nginx问题还是证书问题? 我们如何解决和解决它?
更新更多的信息 :
openssl x509 -purpose用于创buildpkcs文件的证书是:
Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No
…看起来是正确的。
用于创buildpkcs文件的命令是:
openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -nodes -passout pass:mypassword
iPad安assembly置文件对话框声明身份证书没有签名,但让我安装它。
更新2
可能的线索:
安装后,当您在iPad上查看证书详细信息时,iPad会显示“已签名”并列出证书自己的名称。 当您在Firefox中查看证书时,Firefox在“ Issued By字段中显示正确的CA. 我不确定这是iPad故障还是证书没有正确签名。
以下是用于创build和签署证书的确切代码(带有简化的文件名):
openssl genrsa -out file.key 4096 openssl req -new -key file.key -out file.csr -subj "$DN" openssl x509 -req -days 365 -in file.csr -CA ca.crt -CAkey ca.key -set_serial $SerialNumber -out file.crt openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile ca.pem -nodes -passout pass:secret 2>&1
注意:$ DN和$ SerialNumber由PHP生成,在这里省略。 ca.pem是证书颁发机构的密钥和公共证书合并成一个文件。
更新3
我在iPad的debugging级别添加Nginx错误日志的输出。 公司名称和其他敏感信息被replace为通用字词。
2017/02/19 14:17:37 [debug] 20917#20917: post event 000055D4E36D71A0 2017/02/19 14:17:37 [debug] 20917#20917: delete posted event 000055D4E36D71A0 2017/02/19 14:17:37 [debug] 20917#20917: accept on 0.0.0.0:443, ready: 1 2017/02/19 14:17:37 [debug] 20917#20917: posix_memalign: 000055D4E368EA20:512 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 accept: xx.xx.xx.xx:62856 fd:10 2017/02/19 14:17:37 [debug] 20917#20917: *94 event timer add: 10: 60000:1487531917179 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 epoll add event: fd:10 op:1 ev:80002001 2017/02/19 14:17:37 [debug] 20917#20917: accept() not ready (11: Resource temporarily unavailable) 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 http check ssl handshake 2017/02/19 14:17:37 [debug] 20917#20917: *94 http recv(): 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 https ssl handshake: 0x16 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: spdy/3.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: spdy/3 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN supported by client: http/1.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL ALPN selected: http/1.1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL server name: "our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL handshake handler: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL handshake handler: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:0, error:26, depth:1, subject:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:2, subject:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:1, subject:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA", issuer:"/C=US/ST=State/L=City/O=OUR-COMPANY, Inc/CN=OUR-COMPANY, Inc" 2017/02/19 14:17:37 [debug] 20917#20917: *94 verify:1, error:26, depth:0, subject:"/C=US/ST=State/L=City/O=OUR-COMPANY Client Certificate/CN=OUR-COMPANY-MUS-58A9EEA5", issuer:"/CN=OUR-COMPANY Client CA/ST=State/C=US/O=OUR-COMPANY Client CA" 2017/02/19 14:17:37 [debug] 20917#20917: *94 ssl new session: F89EA5F8:32:1533 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_do_handshake: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD" 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 1 2017/02/19 14:17:37 [debug] 20917#20917: *94 http wait request handler 2017/02/19 14:17:37 [debug] 20917#20917: *94 malloc: 000055D4E3702330:1024 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 free: 000055D4E3702330 2017/02/19 14:17:37 [debug] 20917#20917: *94 post event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 delete posted event 000055D4E36D7380 2017/02/19 14:17:37 [debug] 20917#20917: *94 http wait request handler 2017/02/19 14:17:37 [debug] 20917#20917: *94 malloc: 000055D4E3702330:1024 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: 313 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_read: -1 2017/02/19 14:17:37 [debug] 20917#20917: *94 SSL_get_error: 2 2017/02/19 14:17:37 [debug] 20917#20917: *94 reusable connection: 0 2017/02/19 14:17:37 [debug] 20917#20917: *94 posix_memalign: 000055D4E369B8A0:4096 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 http process request line 2017/02/19 14:17:37 [debug] 20917#20917: *94 http request line: "GET / HTTP/1.1" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http uri: "/" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http args: "" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http exten: "" 2017/02/19 14:17:37 [debug] 20917#20917: *94 posix_memalign: 000055D4E3703F20:4096 @16 2017/02/19 14:17:37 [debug] 20917#20917: *94 http process request header line 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Host: our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept-Language: en-us" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Connection: keep-alive" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "Accept-Encoding: gzip, deflate" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header: "User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http header done 2017/02/19 14:17:37 [info] 20917#20917: *94 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client: xx.xx.xx.xx, server: our.server.com, request: "GET / HTTP/1.1", host: "our.server.com" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http finalize request: 495, "/?" a:1, c:1 2017/02/19 14:17:37 [debug] 20917#20917: *94 event timer del: 10: 1487531917179 2017/02/19 14:17:37 [debug] 20917#20917: *94 http special response: 495, "/?" 2017/02/19 14:17:37 [debug] 20917#20917: *94 http set discard body 2017/02/19 14:17:37 [debug] 20917#20917: *94 xslt filter header 2017/02/19 14:17:37 [debug] 20917#20917: *94 HTTP/1.1 400 Bad Request Server: nginx Date: Sun, 19 Feb 2017 19:17:37 GMT Content-Type: text/html Content-Length: 224 Connection: close
可能的答案:iPad在其可信的CA商店中有中级CA证书(用于签署客户证书的证书)。 当我从iPad中删除中间CA时,客户端证书能够与Nginx一起工作。 我也尝试在桌面版Firefox中安装中间CA作为可信任的CA,并且一旦我这样做了,我在Firefox客户端中得到了与Nginx相同的错误。
所以,虽然证书现在正在工作,但我为什么信任发布客户证书的CA会破坏他们,我很困惑。
既然我还有赏金的奖励,我会把奖金给任何一个人:
-要么-
Nginx不允许将SSL server : Yes用于客户端身份validation证书SSL server : Yesangular色。