SSL握手时，nginx客户端未发送必需的SSL证书

Question

试图将其整理超过一个星期后，要把我的头撞在墙上，以便真正希望有人能阐明我在使用nginx时出错的地方！

我有这个nginx.conf文件，可以很好地运行（无论如何，我想要的方式）

events {
     worker_connections  4096; 
    }
        stream {
    upstream stream_backend {
        server backendapp:80;
    }
    server {
        listen                443 ssl;
        listen                8080;
        proxy_pass            stream_backend;
        ssl_certificate       ssl.crt;
        ssl_certificate_key   ssl.key;
        ssl_protocols         SSLv3 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
        #ssl_client_certificate ca.crt;
        #ssl_verify_client on;
        error_log /var/log/nginx/error.log debug;
     }
}

但是，我被要求启用客户端证书，并且当我从#ssl_client_certificate ca.crt;和#ssl_verify_client on;删除注释时，我将这些错误记录在nginx *13 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443

中

尽管我作为请求的一部分发送了客户端证书。

我搜寻了互联网，找到了各种解决方案，但到目前为止，没有一个对我有用（包括SO在内）。任何帮助将不胜感激。

我正在像这样使用卷曲 curl -v -k C:\Temp\opscert\user.key -cert C:\Temp\opscert\user.crt https://local.example.com 和 curl -vk --key C:\Temp\opscert\user.key -cert C:\Temp\opscert\user.crt https://local.example.com

还带有Powershell，可以很好地测量 Invoke-WebRequest https://local.example.com -CertificateThumbprint 3b23775c0abfa0e9cb43e87b206dd6992ffc7e07

此外，我希望浏览器在浏览到https://local.example.com/时提示输入证书，但没有，我尝试使用Firefox，IE和Chrome。

chrome唯一一次请求证书的时间是当我将ssl_verify_client on;更改为ssl_verify_client optional;时，但这不是我们想要的。

这是nginx的错误

2018/11/23 17:21:42 [info] 6#6: *21 client 192.168.65.3:58176 connected to 0.0.0.0:443
2018/11/23 17:21:42 [info] 6#6: *21 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443
2018/11/23 17:21:43 [info] 6#6: *22 client 192.168.65.3:58178 connected to 0.0.0.0:443
2018/11/23 17:21:43 [info] 6#6: *22 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443
2018/11/23 17:21:48 [info] 6#6: *23 client 192.168.65.3:58194 connected to 0.0.0.0:443
2018/11/23 17:21:48 [info] 6#6: *23 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443
2018/11/23 17:22:18 [info] 6#6: *24 client 192.168.65.3:58256 connected to 0.0.0.0:443
2018/11/23 17:22:18 [info] 6#6: *24 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443
2018/11/23 17:23:18 [info] 6#6: *25 client 192.168.65.3:58378 connected to 0.0.0.0:443
2018/11/23 17:23:18 [info] 6#6: *25 client sent no required SSL certificate while SSL handshaking, client: 192.168.65.3, server: 0.0.0.0:443

卷曲响应

PS C:\Users\abx> curl -v -k C:\Temp\opscert\user.key -cert C:\Temp\opscert\user.crt https://client.example.com
* Rebuilt URL to: C:\Temp\opscert\user.key/
* Port number ended with '\'
* Closing connection -1
curl: (3) Port number ended with '\'
* Rebuilt URL to: C:\Temp\opscert\user.crt/
* Port number ended with '\'
* Closing connection -1
curl: (3) Port number ended with '\'
* Rebuilt URL to: https://client.example.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to client.example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=GB; ST=Surrey; L=London; O=H. Example Company Ltd; CN=*.example.com
*  start date: Jan  5 00:00:00 2017 GMT
*  expire date: Jan 10 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: client.example.com
> User-Agent: curl/7.59.0
> Accept: */*
>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Empty reply from server
* Connection #0 to host client.example.com left intact
curl: (52) Empty reply from server
PS C:\Users\abx> curl -vk --key C:\Temp\opscert\user.key -cert C:\Temp\opscert\user.crt https://local.example.com
* Rebuilt URL to: C:\Temp\opscert\user.crt/
* Port number ended with '\'
* Closing connection -1
curl: (3) Port number ended with '\'
* Rebuilt URL to: https://local.example.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to client.example.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=GB; ST=Surrey; L=London; O=H. Example Company Ltd; CN=*.example.com
*  start date: Jan  5 00:00:00 2017 GMT
*  expire date: Jan 10 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: client.example.com
> User-Agent: curl/7.59.0
> Accept: */*
>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Empty reply from server
* Connection #0 to host client.example.com left intact
curl: (52) Empty reply from server

Answer 1

对于powershell，仅导入user.crt（而不是pfx）

对于卷曲，同样的情况，请使用user.crt curl -v --key C:\Temp\opscert\user.key --cert C:\Temp\opscert\user.crt https://client.example.com

我仍然希望在通过浏览器访问时提示我进行证书工作，但是现在这很完美，因为请求将来自api。