Hey I have a config like this:

server {
server_name foo;
listen 10.117.0.150:3443;
ssl_on;
ssl_certification /opt/mycrt/nginx.crt;
ssl_private_key /opt/mycrt/nginx.key;
ssl_verify_client on;
ssl_client_certificate /opt/mycrt/nginx.foo.ca.crt;

location = /certauth {
}

location / {
return 403;
}
}

server {
server_name bar;
listen 10.117.0.150:3443;
ssl_on;
ssl_certification /opt/mycrt/nginx.crt;
ssl_private_key /opt/mycrt/nginx.key;
ssl_verify_client on;
ssl_client_certificate /opt/mycrt/nginx.bar.ca.crt;

location = /certauth {
}

location / {
return 403;
}
}

Note two server name share the same IP. If I set both server config's client certification verify on, it works well. That is, access https://foo:3443/certauth and https://bar:3443/certauth are both OK with correct certificates (the first cert is signed by nginx.foo.ca.crt and the second is signed by nginx.bar.ca.crt).

However, if I set the first server block's "ssl_verify_client" to "off" and remove the location block for "= /certauth", both server will return the 403 error. In other words, the disabling of client cert verify in "foo" also makes client cert verify in "bar" server disabled.

If I assign a new IP 10.117.0.151 to server "bar" and try with foo's client cert verify "off" and bar's "on", it works as expected -- foo always return the 403 error and bar can correctly return the normal page.

I've checked and confirm my nginx' SNI is enabled and my openssl is 1.0.0c, my nginx's version is 0.9.3.


Is this expected, a bug, or I did something wrong in the config?


Thanks.