如何在提供客户端证书时调试 ssl_client_verify = NONE?

tag-icon tag-icon nginx openssl client-certificate
如何在提供客户端证书时调试 ssl_client_verify = NONE?

我们在docker上运行了一个nginx设置。

  • nginx 版本:1.13.11
  • openssl 版本 1.1.1
  • docker os 映像:在 aws ec2 实例上运行的 Ubuntu 18.04.2 LTS docker 容器:18.04.6 LTS(Bionic Beaver)

在 nginx 站点配置中,我们指定了以下内容:ssl_certificate /etc/ssl/certs/star.a.chain.crt; ssl_certificate_key /etc/ssl/private/star.a.key; ssl_verify_clientoptional_no_ca; ssl_verify_depth 5; ssl_client_certificate /etc/ssl/certs/a-rootca.pem;

为了测试,我们运行 curl -k -v 3 -trace --cacert ./cacert.crthttps://staging-www.a.com/path

输出:

*   Trying 0.0.0.3:80...
* TCP_NODELAY set
* Immediate connect fail for 0.0.0.3: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
*   Trying 184.72.12.XX:443...
* TCP_NODELAY set
* Connected to staging-www.a.com (xx.xx.xx.xx) port 443 (#1)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=XXXXXXXXXX; O=XXXXXXXXXX; OU=a; CN=*.a.com
*  start date: Jun  2 18:11:13 2016 GMT
*  expire date: May 30 18:11:13 2031 GMT
*  issuer: C=US; ST=California; O=XXXXXXXXXX; OU=XXXXXXXXXX; CN=XXXXXXXXXX Certification Authority; emailAddress=XXXXXXXXXX
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /path
> Host: staging-www.a.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.13.11
< Date: Thu, 11 Aug 2022 04:50:51 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Content-Type: text/plain
< X-DEBUG-SSLCLIENTVERIFY: NONE
< X-DEBUG-docroot: /usr/local/openresty/nginx/html

我们在标头中添加了 nginx 变量 ssl_client_verify 以进行调试,输出显示它为 NONE。由于我们在 curl 命令中提交了证书,我们一直在绞尽脑汁试图理解原因。我们注意到的一件事是调试日志中的以下日志:

2022/08/10 18:58:36 [debug] 206#206: *190 SSL_get_error: 6
2022/08/10 18:58:36 [debug] 206#206: *190 peer shutdown SSL cleanly

有人能帮忙吗?谢谢!

相关内容