Nginx Proxy pass certificate autentificate to MS IIS

Question

Nginx 1.9.5 (linux Centos7)--> MS IIS 8.5 So i try to use nginx as client revers proxy for IIS where need client certificate authentication at IIS level. nginx:443->>IIS:443+client certificate authentications.

example location proxy pass also here are commented commands which i try.

location ^~ /test/ {
#proxy_buffering off;
#proxy_http_version 1.0;
#proxy_request_buffering off;
#proxy_set_header Connection "Keep-Alive";
#proxy_set_header X-SSL-CERT $ssl_client_cert;
# proxy_ssl_name domain.lv;
#proxy_ssl_trusted_certificate /etc/nginx/ssl/root/CA.pem;
#proxy_ssl_verify_depth 2;

proxy_set_header HOST domain.com;
proxy_ssl_certificate /etc/nginx/ssl/test.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/test_key.pem;
proxy_ssl_verify off;
proxy_pass https://10.2.4.101/;

 }

At IIS simple.

1. create new website.
2. import CA cert in trusted root.
3. set ssl cert required.

Test what i get :

1. Directly browser to IIS client cert required--worked.
2. Nginx to other nginx client cert required--worked.
3. Nginx to IIS client cert ignore--worked
4. Nginx to IIS client cert required or accept - NOT work

ERROR: Nginx side: *4622 upstream timed out (110: Connection timed out) while reading response header from upstream IIS side: 500 0 64 119971

So i hope someone could know why?

EDIT 1. also try from different server with nginx 1.8 nothing helped..

proxy_ssl_verify off;
proxy_ssl_certificate /etc/nginx/ssl/test/test.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/test/test_key.pem;
proxy_pass https://domain.com;

2.Try same with apache 2.4 all worked with

SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyMachineCertificateFile /etc/httpd/ssl/test.pem
ProxyPass "/test" "https://domain.com"

Maybe something with ssl renegotiation in nginx???

Answer 1

Your hunch about TLS renegotiation is correct. Nginx has not allowed TLS renegotiation since version 0.8.23 (see http://nginx.org/en/CHANGES). However, by default IIS will use TLS renegotiation when requesting a client certificate. (I haven't been able to find the reasons for this - I would be grateful if someone could enlighten me!)

You can use a packet sniffer such as wireshark to see this in action:

1. IIS and Nginx first perform a TLS handshake using the server certificate only.
2. Nginx requests the resource.
3. The resource requires client authentication, so IIS sends a 'Hello Request' message to Nginx to initiate TLS renegotiation.
4. Nginx doesn't respond to the Hello Request as TLS renegotiation has been disabled.
5. IIS then closes the connection as it gets no response. (See the section on renegotiation at https://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx)

To solve this problem, you must force IIS to request a client certificate on the initial TLS handshake. You can do this using the netsh utility from powershell or the command line:

1. Open a powershell prompt with administrator rights.
2. Enter netsh
3. Enter http
4. Enter show sslcert. You should see a list of all current SSL bindings on your machine:

5. Make a note of the IP:port and certificate hash of the certificate that you want to enable client certificate negotiations for. We are now going to delete this binding and re-add it with the Negotiate Client Certificate property set to enabled. In this example, the IP:port is 0.0.0.0:44300 and the certificate hash is 71472159d7233d56bc90cea6d0c26f7a29db1112.
6. Enter delete sslcert ipport=[IP:port from above]
7. Enter add sslcert ipport=[IP:port from above] certhash=[certificate hash from above] appid={[any random GUID (can be the same one from the show sslcert output)]} certstorename=MY verifyclientcertrevocation=enable verifyrevocationwithcachedclientcertonly=disable clientcertnegotiation=enable
8. You can now confirm that this has worked by running show sslcert again. You should see an almost identical output, but with Negotiate Client Certificate set to Enabled:

Note that this method only works for individual certificates - if you need to change or renew the certificate you will have to run these steps again. Of course, you should wrap these up in a batch script or MSI installer custom action for ease of deployment and maintenance.