Problems with TLS SNI Server Name Indication when using IE9

Server NGINX
1

Hi there,

For those successfully using TLS SNi for https servers.

My IE9 (on Windows7 64 bit) fails to trigger the correct nginx virtual
https
server name and SSL certificate (It ignores all except the default -1st
server).

But It seems to work fine with FF10 and Chrome17.

Is this an IE9 issue? or am I missing something from my nginx/openssl
compilation options?

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.0.13

built by gcc 4.1.2 20080704 (Red Hat 4.1.2-51)

TLS SNI support enabled

configure arguments: --with-debug --prefix=/usr/local/nginx
–sbin-path=/usr/local/nginx/sbin --with-http_ssl_module
–with-http_gzip_static_module --with-http_realip_module
–with-http_addition_module --with-sha1=/usr/lib --with-md5=/usr/lib
–with-openssl=/home/holscha/downloads/openssl/openssl-1.0.1

bin/openssl version -a

openSSL 1.0.1 14 Mar 2012

built on: Tue Mar 20 23:19:10 CET 2012

platform: linux-x86_64

options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)

compiler: gcc -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -Wa,–noexecstack -m64 -DL_ENDIAN -DTERMIO
-O3
-Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

OPENSSLDIR: “/usr/local/ssl”

.

Default Server

server {

    listen       443;

    server_name  myaccount.yabroo.at;

    ssl    on;

    ssl_certificate

/etc/httpd/ssl/myaccount.yabroo.at/myaccount.yabroo.at.crt;

    ssl_certificate_key

/etc/httpd/ssl/myaccount.yabroo.at/myaccount.yabroo.at.key;

}

server {

    listen       443;

    server_name  admin.yabroo.com;

    ssl    on;

    ssl_certificate

/etc/httpd/ssl/yabroocom/admin.yabroo.com.crt;

    ssl_certificate_key

/etc/httpd/ssl/yabroocom/admin.yabroo.com.key;

}

server {

    listen       443;

    server_name  myaccount.yabroo.com;

    ssl    on;

    ssl_certificate

/etc/httpd/ssl/myaccount.yabroo.com/myaccount.yabroo.com.crt;

    ssl_certificate_key

/etc/httpd/ssl/myaccount.yabroo.com/myaccount.yabroo.com.key;

}

Regards

Axel

2

Hello!

On Fri, Mar 23, 2012 at 10:22:38AM +0200, Axel Holscher (GMAIL) wrote:

My IE9 (on Windows7 64 bit) fails to trigger the correct nginx virtual https
server name and SSL certificate (It ignores all except the default -1st
server).

But It seems to work fine with FF10 and Chrome17.

Is this an IE9 issue? or am I missing something from my nginx/openssl
compilation options?

Most likely it’s IE issue, your nginx config looks fine. You may
try looking what’s happening on the wire (e.g. in wireshark) or
just test if you see the same behaviour on the clean install of
Win7 + IE9 (google search suggests some incorrect registry
settings may cause problems).

Maxim D.