Intermittent SSL Handshake Errors

B.R. reallfqq-nginx at yahoo.fr
Sun Jul 12 17:37:47 UTC 2015


Out of thin air, I suspect it is a certificate problem.
You seem to have configured *the same* certificate (and private key) for
those 2 domains. Since certificates are generally tied to a single domain,
that could explain errors.

Another idea: have you checked nginx has been built with SNI support and
you client also supports it? Problems with SNI would mean the default
server certificate (since you did not define a default server for your IP
address/port pair, nginx would pick up the first block containing a
'listen' directive configured for it) would be presented whatever domain
you are trying to access, ending up with certificate/domain mismatch.
See http://nginx.org/en/docs/http/configuring_https_servers.html.
---
*B. R.*

On Sun, Jul 12, 2015 at 6:33 PM, flechamobile <nginx-forum at nginx.us> wrote:

> I found myself with the same problem and found the cause (and obvious
> solution).
>
> On my nginx server I run various website and they all have their own server
> {} config block in separate files under 'sites-available' folder.
> Some sites are on different IP's and some are on the same IP.
>
> Now the cause of the problem was because I'd had set 2 server blocks
> listening on the same IP on SSL for different server_names like so:
>
> server {
>         listen 37.230.101.215:443 ssl spdy;
>         server_name www.domain1.com *.domain1.com;
>
>         ssl on;
>         ssl_certificate /etc/ssl/cert.crt;
>         ssl_certificate_key /etc/ssl/key.key;
>         ssl_session_cache shared:SSL:10m;
>         ssl_session_timeout 10m;
>
> ..etc
> }
>
> and for another site the same:
>
> server {
>         listen 37.230.101.215:443 ssl spdy;
>         server_name www.domain2.com *.domain2.com;
>
>         ssl on;
>         ssl_certificate /etc/ssl/cert.crt;
>         ssl_certificate_key /etc/ssl/key.key;
>         ssl_session_cache shared:SSL:10m;
>         ssl_session_timeout 10m;
>
> ..etc
> }
>
> When you do this it gives the exact same error as this thread is about..
> might be something to check.
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256373,260227#msg-260227
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150712/be0c3aa8/attachment.html>


More information about the nginx mailing list