Hello,
Not sure if this is a browser issue or if it is an nginx issue.
When using SSL I have encountered a problem using my Android device with
user agent "AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1". It seems the wrong SSL cert is being presented to just
this one browser (that I can determine).
My config *was* as follows:
nginx.conf (A record for this server_name is 75.126.0.178):
....
# HTTPS server
#
server {
listen [2607:f0d0:1001:2::3]:443;
listen 443;
server_name mickey.jlkhosting.com;
ssl on;
ssl_certificate /etc/ssl/certs/jlkhosting_com.crt;
ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
....
vhost jlkhosting.com (a record is 75.126.13.208):
....
server {
listen 443 ssl;
server_name jlkhosting.com;
....
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_certificate /etc/ssl/certs/jlkhosting_com.crt;
ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 10m;
keepalive_timeout 70;
....
vhost worldwartwozone.com (A record is 75.126.13.209):
server {
listen [2607:f0d0:1001:2::3]:80;
listen 80;
listen [2607:f0d0:1001:2::3]:443 ssl;
listen 443 ssl;
server_name worldwartwozone.com;
....
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_certificate /etc/ssl/certs/worldwartwozone_com.crt;
ssl_certificate_key /etc/ssl/certs/worldwartwozone_com.key;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 10m;
keepalive_timeout 70;
As you can see, all hosts are on different IP's. The certificate at
/etc/ssl/certs/jlkhosting_com.crt is a wildcard for *.jlkhosting.com.
This arrangement works fine in (almost) all browsers. Attached are
screenshots from Firefox which show the correct certificate being used.
Today, I tried logging into worldwartwozone.com from my Android phone
and received the errors in the third and fourth attachments. Clearly,
the certificate that is being presented is the wrong one.
The fix is to tighten up the vhost configuration file to have it listen
on only one IP as follows:
server {
listen [2607:f0d0:1001:2::3]:80;
listen 75.126.13.209:80;
listen [2607:f0d0:1001:2::3]:443 ssl;
listen 75.126.13.209:443 ssl;
server_name worldwartwozone.com;
....
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_certificate /etc/ssl/certs/worldwartwozone_com.crt;
ssl_certificate_key /etc/ssl/certs/worldwartwozone_com.key;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 10m;
keepalive_timeout 70;
....
However, I have never had to do this before. This is the only user agent
for which I have had to make this adjustment. It worked fine on Firefox,
Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
Windows. It also worked properly on an iPhone 3GS that I tested. Using
the specific IPv4 address works as you can see in the last attachment.
# nginx -V
nginx: nginx version: nginx/1.0.5
nginx: TLS SNI support enabled
nginx: configure arguments: --prefix=/usr/local/etc/nginx
--with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--with-file-aio --with-ipv6
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_flv_module
--add-module=/usr/ports/www/nginx-devel/work/nginx_mod_h264_streaming-2.2.7
--with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-pcre
--
Jim Ohlstein
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Attachments:
open |
download -
Screen-Shot-2011-08-02-at-9.20.35-PM.png
(40.7 KB)
open |
download -
Screen-Shot-2011-08-02-at-9.20.06-PM.png
(34.6 KB)
open |
download -
device-2011-08-02-213336.png
(21.5 KB)
open |
download -
device-2011-08-02-213319.png
(20.7 KB)
open |
download -
device-2011-08-02-221205.png
(22.9 KB)
