Welcome! Log In Create A New Profile

Advanced

Re: Issue with SNI/SSL and default_server

August 28, 2012 12:46AM
On Aug 28, 2012, at 8:33 , bompus wrote:

> I've had the same issues and did some testing.
>
> The following causes the issue where the SSL certificate that is defined in
> the default_server block is being sent for requests that end up in another
> server block that has a different ssl_certificate defined. This only happens
> when adding the IP address as server_name.
>
> Example of issue:
> server {
> listen 443 default_server ssl;
> server_name _;
> ssl_certificate /usr/local/nginx/conf/ssl/default.crt;
> ssl_certificate_key /usr/local/nginx/conf/ssl/default.key;
> location / { return 403; }
> }
>
> server {
> listen 443 ssl;
> server_name 1.2.3.4;
> ssl_certificate /usr/local/nginx/conf/ssl/1.2.3.4.crt;
> ssl_certificate_key /usr/local/nginx/conf/ssl/1.2.3.4.key;
> location /test { return 401;}
> }
>
> When I access https://1.2.3.4/test , I receive a 401 error as expected, but
> the SSL certificate being sent is the one defined in default.crt
>
> Working:
> <Same default server block>
>
> server {
> listen 443 ssl;
> server_name test.hostname.com;
> ssl_certificate /usr/local/nginx/conf/ssl/1.2.3.4.crt;
> ssl_certificate_key /usr/local/nginx/conf/ssl/1.2.3.4.key;
> location /test { return 401;}
> }
>
> Now when accessing test.hostname.com which is an A record to 1.2.3.4 , I get
> served the correct certificate as defined in 1.2.3.4 -- I've tested this
> multiple times on Ubuntu 12.04 w/ nginx as configured:
> nginx version: nginx/1.2.3
> built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
> TLS SNI support enabled
> configure arguments: --with-http_ssl_module --user=nobody --group=nobody

What client do you use to test ?
It may not send a hostname in SSL hello request if the hostname is IP address.


--
Igor Sysoev

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Issue with SNI/SSL and default_server

Jordi Boggiano August 21, 2012 09:00AM

Re: Issue with SNI/SSL and default_server

bompus August 28, 2012 12:33AM

Re: Issue with SNI/SSL and default_server

Igor Sysoev August 28, 2012 12:46AM

Re: Issue with SNI/SSL and default_server

bompus August 28, 2012 12:48AM

Re: Issue with SNI/SSL and default_server

Igor Sysoev August 28, 2012 01:14AM

Re: Issue with SNI/SSL and default_server

bompus August 28, 2012 01:25AM

Re: Issue with SNI/SSL and default_server

Igor Sysoev August 28, 2012 12:56PM

Re: Issue with SNI/SSL and default_server

Igor Sysoev August 28, 2012 01:16AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 168
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready