NGINX1.2.1 SNI provides wrong server certificate

addis_a · August 4, 2014, 7:53am

Hi there,
we configured NGINX 1.2.1 on debian 7.1u1 with 5 virtual host, set up a
private certification authority, generated keys for all the the virt.
host
and configured the hosts similar to
server {

listen 443;
server_name server1.foo.baz.bar;

ssl on;
ssl_certificate /etc/nginx/ssl/server1.foo.baz.bar.pem;
ssl_certificate_key /etc/nginx/ssl/server1.foo.baz.bar.key;

ssl_protocols SSLv3 TLSv1 SSLv2;
ssl_ciphers
ALL:!ADH:!EXPORT56:!kEDH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
…
}
However if we try to access server1 via curl -v -k
https://server1.foo.baz.bar

we get a wrong server certificate:

Connected to server1.baz.bar(…) port 443 (#0)

TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Server certificate: server2.baz.bar
Server certificate: OUR CA

GET / HTTP/1.1
User-Agent: curl/7.30.0
Host: server1.baz.bar
Accept: /

What is wrong in our config?

Thanks in advance
–ukr

Posted at Nginx Forum:

ukr · August 4, 2014, 2:37pm

The same behavior happens on nginx 1.7.3

Posted at Nginx Forum:

ukr · August 4, 2014, 3:06pm

Hello!

On Mon, Aug 04, 2014 at 01:53:15AM -0400, ukr wrote:

ssl_certificate /etc/nginx/ssl/server1.foo.baz.bar.pem;
However if we try to access server1 via curl -v -k

Host: server1.baz.bar
Accept: /

What is wrong in our config?

First of all I would recommend you to test if the client you are
testing with is able to use SNI. E.g., curl as available in
latest OS X seems to not able to use SNI.

–
Maxim D.
http://nginx.org/

ukr · August 11, 2014, 1:55am

On 5 August 2014 00:37, ukr [email protected] wrote:

The same behavior happens on nginx 1.7.3

Make sure that your Nginx was built with SNI support, by using the -V
switch:

http://nginx.org/en/docs/http/configuring_https_servers.html#sni

ukr · August 11, 2014, 10:04am

sbin/nginx -V
nginx version: nginx/1.7.3
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.7.3 --user=www-data
–group=www-data --with-http_ssl_module --with-http_ssl_module
–with-http_realip_module --with-http_addition_module
–with-http_sub_module
–with-http_dav_module --with-http_flv_module --with-http_mp4_module
–with-http_gunzip_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_stub_status_module --with-http_auth_request_module
–with-pcre=/opt/pcre-8.35 --pid-path=/var/run/nginx-1.7.3.pid

Posted at Nginx Forum:

ukr · August 11, 2014, 4:12pm

On 11-08-14 10:04, ukr wrote:

sbin/nginx -V
nginx version: nginx/1.7.3
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled

Since you are using 1.7.3, in case you missed it:

2014-08-05 nginx-1.6.1 stable and nginx-1.7.4 mainline versions have
been released, with a fix for the STARTTLS vulnerability discovered by
Chris Boulton (CVE-2014-3556).

About your issue: maybe read
Configuring HTTPS servers and try
some of the setups described on that page and see if you can get them to
work (with a client that supports SNI).

HTH,
Patrick