Nginx serving extra ssl certs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Nginx serving extra ssl certs

Fabian A. Santiago
Hello nginx world,

I hope you can help me track down my issue.

First, I'm running:

Centos 7.3.1611
Nginx 1.11.10
Openssl 1.0.1e-fips

My issue is I run 11 virtual sites, all listening on both ipv4 & 6, same two addresses, so obviously I rely on SNI. One site also listens on tor.

When I check the ssl responses using either ssllabs server test or openssl s_client, my sites work fine but also serve an extra 2nd cert meant for the wrong hostname. I'm confused as I see no issue with my config files.

I've attached a sample of my config files for one site for your perusal.

You can also check this domain for yourself:

server1.garbage-juice.com

Thanks for your help.


--
Thanks.
Fabian S.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

Documents.7z (1K) Download Attachment
signature.asc (887 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx serving extra ssl certs

Richard Stanway
Your configs look fine, what you are seeing is the certificate that is sent if a client does not support SNI. You can control which certificate is chosen using the default_server parameter on your listen directive.

On Sun, Mar 12, 2017 at 4:54 PM, Fabian A. Santiago <[hidden email]> wrote:
Hello nginx world,

I hope you can help me track down my issue.

First, I'm running:

Centos 7.3.1611
Nginx 1.11.10
Openssl 1.0.1e-fips

My issue is I run 11 virtual sites, all listening on both ipv4 & 6, same two addresses, so obviously I rely on SNI. One site also listens on tor.

When I check the ssl responses using either ssllabs server test or openssl s_client, my sites work fine but also serve an extra 2nd cert meant for the wrong hostname. I'm confused as I see no issue with my config files.

I've attached a sample of my config files for one site for your perusal.

You can also check this domain for yourself:

server1.garbage-juice.com

Thanks for your help.


--
Thanks.
Fabian S.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx serving extra ssl certs

Fabian A. Santiago
On March 12, 2017 3:58:41 PM EDT, Richard Stanway <[hidden email]> wrote:

>Your configs look fine, what you are seeing is the certificate that is
>sent
>if a client does not support SNI. You can control which certificate is
>chosen using the default_server parameter on your listen directive.
>
>On Sun, Mar 12, 2017 at 4:54 PM, Fabian A. Santiago <
>[hidden email]> wrote:
>
>> Hello nginx world,
>>
>> I hope you can help me track down my issue.
>>
>> First, I'm running:
>>
>> Centos 7.3.1611
>> Nginx 1.11.10
>> Openssl 1.0.1e-fips
>>
>> My issue is I run 11 virtual sites, all listening on both ipv4 & 6,
>same
>> two addresses, so obviously I rely on SNI. One site also listens on
>tor.
>>
>> When I check the ssl responses using either ssllabs server test or
>openssl
>> s_client, my sites work fine but also serve an extra 2nd cert meant
>for the
>> wrong hostname. I'm confused as I see no issue with my config files.
>>
>> I've attached a sample of my config files for one site for your
>perusal.
>>
>> You can also check this domain for yourself:
>>
>> server1.garbage-juice.com
>>
>> Thanks for your help.
>>
>>
>> --
>> Thanks.
>> Fabian S.
>> _______________________________________________
>> nginx mailing list
>> [hidden email]
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
Oh, that makes sense. Ok, I guess I just never noticed that before. And also thought that default site wouldn't be sent unless it knew of no SNI already. Thanks. That was easy.
--
Thanks.
Fabian S.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

signature.asc (887 bytes) Download Attachment
Loading...