Issue with VirtualHost definition order and SNI SSL

Linmiao_Xu · October 9, 2009, 8:33pm

When running SSL on more than one virtual host (one IP), I get a weird
issue
when virtual hosts are defined in different orders. One virtual host is
a
TLD (example.com), and one is an alias I set in /etc/hosts (alias). Both
use
their own certificates and work fine when I define them in this order:

include /etc/nginx/vhosts/ssl_example.com.conf;
include /etc/nginx/vhosts/ssl_alias.conf;

But when I reverse the order, both hosts try to use (alias)'s
certificate,
so I get an ssl warning when trying to connect to (example.com).

In both cases, I use “listen 443” and server_name is set as
(example.com)
and (alias). I don’t listen on 443 except in virtual hosts, all with
server_name defined. When I use “listen 443 default ssl” instead of
“listen
443” for (example.com), this problem goes away. It looks like nginx
takes
the first virtual host that listens on 443 if I try to connect to the
server
on a host that isn’t listening on 443.

But I still don’t understand… both of the above are valid hosts, so why
does the order in which I include the virtual hosts cause different
results?

Linmiao_Xu · October 9, 2009, 9:19pm

On Fri, Oct 09, 2009 at 11:22:29AM -0700, Linmiao Xu wrote:

In both cases, I use “listen 443” and server_name is set as (example.com)
and (alias). I don’t listen on 443 except in virtual hosts, all with
server_name defined. When I use “listen 443 default ssl” instead of “listen
443” for (example.com), this problem goes away. It looks like nginx takes
the first virtual host that listens on 443 if I try to connect to the server
on a host that isn’t listening on 443.

Yes, nginx uses the first server for a given listen pair if no explicit
default server is defined for the listen pair.

But I still don’t understand… both of the above are valid hosts, so why
does the order in which I include the virtual hosts cause different results?

Are you sure that nginx was built with SNI support ?
What browsers and nginx versions do you use ?

Linmiao_Xu · October 10, 2009, 2:51am

Yes, should be built with SNI support (–with-http_ssl_module and
–with-openssl=/usr/src/openssl-0.9.8k). I used 0.7.62 and 0.8.19 and
both
gave me the same result. I compiled both with OpenSSL 0.9.8k, which has
SNI.
Before, when I used 0.9.8e (latest version in CentOS 5.3), every virtual
host would use the same certificate (no SNI). Browser is Firefox 3.5.3
which
also supports SNI.

The strange part is how it looks like SNI is enabled if I include the
TLD
virtual host first, but isn’t enabled if the alias is included first. Do
you
need more information?

Linmiao_Xu · October 19, 2009, 12:20pm

On Fri, Oct 09, 2009 at 05:44:07PM -0700, Linmiao Xu wrote:

Yes, should be built with SNI support (–with-http_ssl_module and
–with-openssl=/usr/src/openssl-0.9.8k). I used 0.7.62 and 0.8.19 and both
gave me the same result. I compiled both with OpenSSL 0.9.8k, which has SNI.
Before, when I used 0.9.8e (latest version in CentOS 5.3), every virtual
host would use the same certificate (no SNI). Browser is Firefox 3.5.3 which
also supports SNI.

As far as I know OpenSSL-0.9.8 is not built with SNI by default, you
need to
add

–with-openssl=/usr/src/openssl-0.9.8k
–with-openssl-opt=“enable-tlsext”

What does “strings nginx | grep SSL_get_servername” show ?

Linmiao_Xu · October 27, 2009, 6:55am

On Thu, Oct 22, 2009 at 06:28:19AM -0700, ianchov wrote:

Hi,

I have build nginx with your command line options but still SNi does not
work.
strings nginx | grep SSL show the new OpenSSL 9.9.8k
I have the openssl src on a directory. SHould i install it or it is enough
that nginx is compiled against it??

I meant not “strings nginx | grep SSL”, but
“strings nginx | grep SSL_get_servername”.

Anyway, try to build the lastest 0.8.21 or 0.7.63 and run

nginx -V 2>&1 | grep SNI

Linmiao_Xu · October 27, 2009, 7:26am

I built is successfully against SNI
and the
nginx -V 2>&1 | grep SNI

is showing TLS SNI support enabled

Howevever again i cannot manage to use two different SSL certificates on
two
SSL listening on port 443…
Any ideas???

On Tue, Oct 27, 2009 at 08:08, Igor S. [via nginx] <
[email protected][email protected]

Linmiao_Xu · October 22, 2009, 3:33pm

Hi,

I have build nginx with your command line options but still SNi does not
work.
strings nginx | grep SSL show the new OpenSSL 9.9.8k
I have the openssl src on a directory. SHould i install it or it is
enough
that nginx is compiled against it??

Linmiao_Xu · October 27, 2009, 7:30am

I forgot to add.
I placed openssl in /usr/src directory and i build against it…i didn`t
configure/installed openssl…

Linmiao_Xu · October 27, 2009, 8:30am

On Mon, Oct 26, 2009 at 11:19:08PM -0700, ianchov wrote:

I built is successfully against SNI
and the
nginx -V 2>&1 | grep SNI

is showing TLS SNI support enabled

Howevever again i cannot manage to use two different SSL certificates on two
SSL listening on port 443…
Any ideas???

Could you show SSL part of

vhosts/ssl_example.com.conf;
vhosts/ssl_alias.conf;

?

Linmiao_Xu · October 27, 2009, 12:01pm

Here is my two ssl vhosts>>>

server {
listen 443;
ssl on;
ssl_certificate /usr/local/etc/pathTocrt;
ssl_certificate_key /usr/local/pathTokey;

    server_name xxxxx.com www.xxxxxx.com

server {
listen 443;
ssl on;
ssl_certificate /usr/local/etc/pathTocrt2;
ssl_certificate_key /usr/local/pathTokey2;

    server_name xxxxx2.com wwww.xxxxxx2.com

Hope that helps…

Regards,
Iancho

2009/10/27 Igor S. [email protected]

Linmiao_Xu · October 27, 2009, 5:31pm

On Tue, Oct 27, 2009 at 12:55:34PM +0200, Iantcho Vassilev wrote:

Hope that helps…

As I understand Linmiao Xu [email protected] is different man.
Well what is your case ? What browser do you use ?

I’ve just created my own ceritificate authority, have installed
the CA certificate in FF 3.0, then have created 2 certificate signed
by this authority. Both certificate works well wiht SNI without any
message.

Linmiao_Xu · October 27, 2009, 6:51pm

2009/10/27 Igor S. [email protected]

by this authority. Both certificate works well wiht SNI without any
message.

Sorry about the misunderstanding…those two sites use Godaddy and
TrueSSL
certificates
When i put one of the server to listen to other port (one is 443 other
444)
both certificates work
when they are on port 443 both sites use the first loaded
certificate…
I though it should work without installing any CA or whatever (those
are
trustworthy CA)

Regards,
Iancho

Linmiao_Xu · October 27, 2009, 8:49pm

On Tue, Oct 27, 2009 at 07:42:42PM +0200, Iantcho Vassilev wrote:

    ssl_certificate_key /usr/local/pathTokey;
 ssl_certificate_key /usr/local/pathTokey2;
I’ve just created my own ceritificate authority, have installed
trustworthy CA)
What browsers did you use for testing ?

Linmiao_Xu · October 28, 2009, 8:36am

2009/10/27 Igor S. [email protected]

    ssl on;
    listen  443;
As I understand Linmiao Xu [email protected] is different man.
both certificates work
when they are on port 443 both sites use the first loaded certificate…
I though it should work without installing any CA or whatever (those are
trustworthy CA)

What browsers did you use for testing ?

I used F.F 3.5.3

Linmiao_Xu · October 28, 2009, 9:30am

On Wed, Oct 28, 2009 at 09:31:05AM +0200, Iantcho Vassilev wrote:

server {

Hope that helps…
certificates
When i put one of the server to listen to other port (one is 443 other

both certificates work
when they are on port 443 both sites use the first loaded certificate…
I though it should work without installing any CA or whatever (those are
trustworthy CA)

What browsers did you use for testing ?

I used F.F 3.5.3

Could you create debug log of the requests ?

Linmiao_Xu · October 28, 2009, 11:13pm

Here is the debug on the host when only one site listens to 443

2009/10/29 00:54:46 [debug] 9171#0: epoll add event: fd:26 op:1
ev:00000001
2009/10/29 00:55:11 [debug] 9171#0: post event 0000000001DD9128
2009/10/29 00:55:11 [debug] 9171#0: delete posted event 0000000001DD9128
2009/10/29 00:55:11 [debug] 9171#0: accept on 0.0.0.0:443, ready: 0
2009/10/29 00:55:11 [debug] 9171#0: malloc: 0000000001D44370:256
2009/10/29 00:55:11 [debug] 9171#0: *195388 accept: xx.xxx.xxx.xx fd:13
2009/10/29 00:55:11 [debug] 9171#0: *195388 event timer add: 13:
5000:1256766916090
2009/10/29 00:55:11 [debug] 9171#0: *195388 epoll add event: fd:13 op:1
ev:80000001
2009/10/29 00:55:11 [debug] 9171#0: *195388 post event 0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: *195388 delete posted event
0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: *195388 malloc:
0000000001C0D410:1248
2009/10/29 00:55:11 [debug] 9171#0: *195388 malloc: 0000000001C066A0:256
2009/10/29 00:55:11 [debug] 9171#0: 195388 malloc:
0000000001D32990:4096
2009/10/29 00:55:11 [debug] 9171#0: 195388 malloc:
0000000001E04130:4096
2009/10/29 00:55:11 [debug] 9171#0: 195388 http check ssl handshake
2009/10/29 00:55:11 [debug] 9171#0: 195388 https ssl handshake: 0x16
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_do_handshake: -1
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_get_error: 2
2009/10/29 00:55:11 [debug] 9171#0: 195388 post event 0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: 195388 delete posted event
0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL handshake handler: 0
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_do_handshake: 1
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL: SSLv3, cipher:
“DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http process request line
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_read: -1
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_get_error: 2
2009/10/29 00:55:11 [debug] 9171#0: 195388 post event 0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: 195388 delete posted event
0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: 195388 http process request line
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_read: 720
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_read: -1
2009/10/29 00:55:11 [debug] 9171#0: 195388 SSL_get_error: 2
2009/10/29 00:55:11 [debug] 9171#0: 195388 http request line: "GET
/
HTTP/1.1"
2009/10/29 00:55:11 [debug] 9171#0: 195388 http uri: "/"
2009/10/29 00:55:11 [debug] 9171#0: 195388 http args: “”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http exten: “php”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http process request header
line
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: "Host:
****"
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: “User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3)
Gecko/20090824
Firefox/3.5.3”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header:
“Accept-Language:
en-us,en;q=0.5”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header:
“Accept-Encoding:
gzip,deflate”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header:
"Accept-Charset:
ISO-8859-1,utf-8;q=0.7,;q=0.7"
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: “Keep-Alive:
300”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: “Connection:
keep-alive”
2009/10/29 00:55:11 [debug] 9171#0: 195388 http header: "Referer:
https:///"

Linmiao_Xu · October 29, 2009, 8:40am

Thanks for the info.
I checked the browser TLS is enabled.
Is there a special way to enable it on the server??

It is very strange for me because before Nginx i was using litespeed and
there every SSL host was listening on 443 and everything worked…how do
they
do it i don`t know…??

2009/10/29 Igor S. [email protected]

Linmiao_Xu · October 29, 2009, 8:04am

On Wed, Oct 28, 2009 at 11:59:44PM +0200, Iantcho Vassilev wrote:

Here is the debug on the host when only one site listens to 443

2009/10/29 00:55:11 [debug] 9171#0: *195388 http check ssl handshake
2009/10/29 00:55:11 [debug] 9171#0: *195388 https ssl handshake: 0x16
2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: -1
2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_get_error: 2

SNI handshake looks like this:

2009/10/29 09:53:05 [debug] 73997#0: *1 http check ssl handshake
2009/10/29 09:53:05 [debug] 73997#0: *1 https ssl handshake: 0x16
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL server name:
“www.example.com”
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_do_handshake: -1
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_get_error: 2

2009/10/29 00:55:11 [debug] 9171#0: *195388 post event 0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: *195388 delete posted event
0000000001DD95A0
2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL handshake handler: 0
2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: 1
2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL: SSLv3, cipher:
“DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1”

For some reason only SSLv3 has been negotiated.
Either server has no enabled TLSv1 in ssl_protocols, or browser.

Linmiao_Xu · October 29, 2009, 9:15am

On Thu, Oct 29, 2009 at 09:35:54AM +0200, Iantcho Vassilev wrote:

Thanks for the info.
I checked the browser TLS is enabled.
Is there a special way to enable it on the server??

http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols

It is very strange for me because before Nginx i was using litespeed and
there every SSL host was listening on 443 and everything worked…how do they
do it i don`t know…??

I do not know whether litespeed supports SNI.
All these hosts are listen on single IP ?

Linmiao_Xu · October 29, 2009, 9:49am

On Thu, Oct 29, 2009 at 10:31:21AM +0200, Iantcho Vassilev wrote:

yes(on the same port)…and it was working for nearly 2 years…

Did these hosts work in MSIE 6.0 ?