Possible SSL "bug"

Jim Ohlstein jim at ohlste.in
Wed Aug 3 02:20:56 UTC 2011 

Hello,

Not sure if this is a browser issue or if it is an nginx issue.

When using SSL I have encountered a problem using my Android device with
user agent "AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1". It seems the wrong SSL cert is being presented to just
this one browser (that I can determine).

My config *was* as follows:

nginx.conf (A record for this server_name is 75.126.0.178):

...
    # HTTPS server
    #
    server {
        listen [2607:f0d0:1001:2::3]:443;
        listen       443;
        server_name  mickey.jlkhosting.com;

        ssl                  on;
        ssl_certificate     /etc/ssl/certs/jlkhosting_com.crt;
        ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers  HIGH:!ADH:!MD5;
        ssl_prefer_server_ciphers   on;
...


vhost jlkhosting.com (a record is 75.126.13.208):

...
server {
    listen 443 ssl;
    server_name jlkhosting.com;
...
    ssl_protocols        SSLv3 TLSv1;
    ssl_ciphers          HIGH:!ADH:!MD5;
    ssl_certificate     /etc/ssl/certs/jlkhosting_com.crt;
    ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
    ssl_session_cache    shared:SSL:2m;
    ssl_session_timeout  10m;
    keepalive_timeout    70;
...


vhost worldwartwozone.com (A record is 75.126.13.209):

server {
    listen [2607:f0d0:1001:2::3]:80;
    listen 80;
    listen [2607:f0d0:1001:2::3]:443 ssl;
    listen 443 ssl;
    server_name worldwartwozone.com;
...

    ssl_protocols        SSLv3 TLSv1;
    ssl_ciphers          HIGH:!ADH:!MD5;
    ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
    ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
    ssl_session_cache    shared:SSL:2m;
    ssl_session_timeout  10m;
    keepalive_timeout    70;


As you can see, all hosts are on different IP's. The certificate at
/etc/ssl/certs/jlkhosting_com.crt is a wildcard for *.jlkhosting.com.

This arrangement works fine in (almost) all browsers. Attached are
screenshots from Firefox which show the correct certificate being used.
Today, I tried logging into worldwartwozone.com from my Android phone
and received the errors in the third and fourth attachments. Clearly,
the certificate that is being presented is the wrong one.

The fix is to tighten up the vhost configuration file to have it listen
on only one IP as follows:

server {
    listen [2607:f0d0:1001:2::3]:80;
    listen 75.126.13.209:80;
    listen [2607:f0d0:1001:2::3]:443 ssl;
    listen 75.126.13.209:443 ssl;
    server_name worldwartwozone.com;
...

    ssl_protocols        SSLv3 TLSv1;
    ssl_ciphers          HIGH:!ADH:!MD5;
    ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
    ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
    ssl_session_cache    shared:SSL:2m;
    ssl_session_timeout  10m;
    keepalive_timeout    70;
...


However, I have never had to do this before. This is the only user agent
for which I have had to make this adjustment. It worked fine on Firefox,
Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
Windows. It also worked properly on an iPhone 3GS that I tested. Using
the specific IPv4 address works as you can see in the last attachment.

# nginx -V
nginx: nginx version: nginx/1.0.5
nginx: TLS SNI support enabled
nginx: configure arguments: --prefix=/usr/local/etc/nginx
--with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--with-file-aio --with-ipv6
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_flv_module
--add-module=/usr/ports/www/nginx-devel/work/nginx_mod_h264_streaming-2.2.7
--with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-pcre


-- 
Jim Ohlstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen-Shot-2011-08-02-at-9.20.35-PM.png
Type: image/png
Size: 41718 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110802/e95894cb/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen-Shot-2011-08-02-at-9.20.06-PM.png
Type: image/png
Size: 35474 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110802/e95894cb/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: device-2011-08-02-213336.png
Type: image/png
Size: 22058 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110802/e95894cb/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: device-2011-08-02-213319.png
Type: image/png
Size: 21246 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110802/e95894cb/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: device-2011-08-02-221205.png
Type: image/png
Size: 23446 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110802/e95894cb/attachment-0009.png>

More information about the nginx mailing list