SSL Multiple Vhost Overlapping common name [CN]

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL Multiple Vhost Overlapping common name [CN]

shahzaib mushtaq
Hi,

Our Nginx server is configured with two different domain SSL certificates configured on same ip ; 

*.yourdomain.com (Renewed)

We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). 

Now here comes the confusing part. Recently we've renewed the SSL certificate for *.yourdomain.com from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*.yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *.yourdomain.com.

I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it :

[root@cw012 /usr/ports/security/ca_root_nss]#  openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.mydomain.com

Here you can see that CN is *.mydomain.com instead of *.yourdomain.com

We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically.

To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of yourdomain.com above the mydomain.com and now CN for both (mydomain.com and yourdomain.com) is showing the *.yourdomain.com. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it.

Is there anyway to get this fixed ? 

Here is the configuration of vhosts :

server {
       listen  443  ;
        ssl on;
        server_name s4.mydomain.com;
        ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt;    
        ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key;    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';       ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;

}}

server {
          listen 443  ;
          ssl on;
          server_name s4.yourdomain.com;
          ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt;
          ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key;
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';       ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;
}}

Any advice will be very much appreciated.

Thanks.
Shahzaib

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Multiple Vhost Overlapping common name [CN]

Joshua Cooley
 You'll need to pass the servername parameter for openssl s_client to pass the SNI, e.g.

openssl s_client -servername s4.yourdomain.com -connect s4.yourdomain.com:443 

On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" <[hidden email]> wrote:
Hi,

Our Nginx server is configured with two different domain SSL certificates configured on same ip ; 

*.yourdomain.com (Renewed)

We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). 

Now here comes the confusing part. Recently we've renewed the SSL certificate for *.yourdomain.com from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*.yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *.yourdomain.com.

I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it :

[root@cw012 /usr/ports/security/ca_root_nss]#  openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.mydomain.com

Here you can see that CN is *.mydomain.com instead of *.yourdomain.com

We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically.

To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of yourdomain.com above the mydomain.com and now CN for both (mydomain.com and yourdomain.com) is showing the *.yourdomain.com. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it.

Is there anyway to get this fixed ? 

Here is the configuration of vhosts :

server {
       listen  443  ;
        ssl on;
        server_name s4.mydomain.com;
        ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt;    
        ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key;    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';       ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;

}}

server {
          listen 443  ;
          ssl on;
          server_name s4.yourdomain.com;
          ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt;
          ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key;
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';       ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;
}}

Any advice will be very much appreciated.

Thanks.
Shahzaib

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...