SSL Conflict Between Two Virtual Hosts

Hello NGINX community!

I am setting up multiple website in one server. Obviously I created
different server directives for each domain that I want to serve.

I set domainA to listen to 443 for ssl as well as domainB. BOTH of them
listens to port 80 and port 443 BUT they serve different ssl
certificates.

The problem comes when I access domainB on ssl connection because
domainB is sending domainA’s ssl certificate! I already double checked
this to see if the two domain really has different ssl certs and it is
really is different.

From what I understand nginx should be able to serve different ssl certs and connection to multiple domains even if they all listen to the same port 443.

Is this a bug or nginx is intended to work this way? Is it imperative
that only one domain listens to port 443 or nginx is intended to serve
multiple domain in port 443 with different certs? I hope the solution to
this problem is not to create a single cert for all the virtual host via
Subject Alternate Name in the cert signing request…

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,42666,42666#msg-42666

On Mon, Jan 18, 2010 at 01:01:47PM -0500, jasonago wrote:

Is this a bug or nginx is intended to work this way? Is it imperative that only one domain listens to port 443 or nginx is intended to serve multiple domain in port 443 with different certs? I hope the solution to this problem is not to create a single cert for all the virtual host via Subject Alternate Name in the cert signing request…
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers


Igor S.
http://sysoev.ru/en/

Hi,

As the howto on:

http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

sais, you need one ip address per ssl vhost because the ssl handshake is
done
before the connection is acknowledged. As of this, the ssl cert is
already in
use before the name will be validated by nginx.

Best,

Andreas

Hello again, thanks for the explanations I understand enough.

BUT I discovered that it is still possible to serve two different ssl
certs for two different domain with only single IP address.

Traditionally as explained by the previous posts, the setup of vhosts in
nginx should be: (I got lazy to post my nginx server directives so I
shortcut it to the following)
domainA + IP-addressA + SSLcertA + port443 and
domainB + IP-addressB + SSLcertB + port443

And the following will be in conflict as I described in the start topic:
domainA + IP-addressA + SSLcertA + port443 and
domainB + IP-addressA + SSLcertB + port443

But I was able to work on the following configuration as a desperate
hack to use two different ssl certs with same IP address by listening to
two different ports:
domainA + IP-addressA + SSLcertA + port443 and
domainB + IP-addressA + SSLcertB + port444

Well, I just need to instruct critical parts of some PHP programs out
there to append port 444 on the urls so as not to break urls.

Hehe, I guess its a desperate setup since I’m short of buying either a
wildcard ssl OR setup and maintain two cloud server for two domains…

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,42666,43050#msg-43050

Hi,

Yes, this will work because of the different tcp ports.

If you’re going to have one tcp port per ssl host you will be able to
run them
all on a single ip address.

Best,

Andreas

You could try SNI, but it’s not supported by all browsers yet. Other
than that, for the same ip address you have to have different ports.


() ascii-rubanda kampajno - kontraŭ html-a retpoŝto
/\ ascii ribbon campaign - against html e-mail

On Tue, Jan 19, 2010 at 09:59:29AM -0500, jasonago wrote:

domainB + IP-addressA + SSLcertB + port443

But I was able to work on the following configuration as a desperate hack to use two different ssl certs with same IP address by listening to two different ports:
domainA + IP-addressA + SSLcertA + port443 and
domainB + IP-addressA + SSLcertB + port444

Well, I just need to instruct critical parts of some PHP programs out there to append port 444 on the urls so as not to break urls.

Hehe, I guess its a desperate setup since I’m short of buying either a wildcard ssl OR setup and maintain two cloud server for two domains…

Yes, you may use non-standard port, however, note that there may be
client
firewalls/proxies which forbid connections to non-standard ports.


Igor S.
http://sysoev.ru/en/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs