Trac.nginx.org incorrect https

I noticed that trac.nginx.org has https/SNI configured for the host
but no actual ssl configuration (how do you even do that):

$ openssl s_client -connect trac.nginx.org:443 -servername
trac.nginx.org
CONNECTED(00000003)
140010415498912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:770:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 318 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Relevant (which is how I noticed it in the first place):

https://github.com/EFForg/https-everywhere/pull/1993

Hello!

On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho A. wrote:

I noticed that trac.nginx.org has https/SNI configured for the host
but no actual ssl configuration (how do you even do that):

The trac.nginx.org domain isn’t available via https.

The IP address trac.nginx.org maps to does have other sites
answering on https/SNI though, and to avoid sending invalid
certificate the “ssl_ciphers aNULL;” is used in the default server
configuration. This is what causes the message you see.

SSL handshake has read 7 bytes and written 318 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

JFYI:

You can use something like

$ openssl s_client -connect trac.nginx.org:443 -servername
trac.nginx.org -cipher aNULL

to establish a connection. (Requests won’t work though, as the
same server also have “return 444;” in the configuration.)

Relevant (which is how I noticed it in the first place):

https://github.com/EFForg/https-everywhere/pull/1993

When people try to use something they weren’t asked to, it
strikes back.


Maxim D.
http://nginx.org/

On Sat, Jul 4, 2015 at 2:48 PM, Maxim D. [email protected] wrote:

answering on https/SNI though, and to avoid sending invalid

Whoever added it probably didn’t actually try accessing the
site. It has been removed. Thanks.