SSL Multiple Vhost Overlapping common name [CN]

Joshua Cooley cooley.josh at gmail.com
Fri Aug 4 14:03:22 UTC 2017


 You'll need to pass the servername parameter for openssl s_client to pass
the SNI, e.g.

openssl s_client -servername s4.yourdomain.com -connect
s4.yourdomain.com:443

On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" <shahzaib.cb at gmail.com> wrote:

Hi,

Our Nginx server is configured with two different domain SSL certificates
configured on same ip ;

*.mydomain.com
*.yourdomain.com (Renewed)

We've configured both these certificates vhosts in
/usr/local/etc/nginx/vhosts/ directory. After installing certificate we
tested it with sslshopper and both were installed properly (CN,
Intermediate Chain etc were properly listed for each).

Now here comes the confusing part. Recently we've renewed the SSL
certificate for *.yourdomain.com from Godaddy and after installing it
sslshopper shows correct CN and intermediate chain for new certificate (*.
yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *.
yourdomain.com.

I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use
openssl command to verify it :

[root at cw012 /usr/ports/security/ca_root_nss]#  openssl s_client -connect
s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c)
2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary
Certification Authority - G3verify return:1s_clidepth=1 C = US, O =
GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN =
*.mydomain.com

Here you can see that CN is *.mydomain.com instead of *.yourdomain.com.

We were also seeing so much delayed in serving the requests but once we
disabled one of the vhost, CN started to show correct domains and
performance was improved drastically.

To test it further with nginx we had reversed the order of virtual hosts
and moved domain virtualhost of yourdomain.com above the mydomain.com and
now CN for both (mydomain.com and yourdomain.com) is showing the *.
yourdomain.com. So we concluded that its due to order of the virtual hosts,
the vhost which comes before will overlap the CN for all other domains
comming beneath it.

Is there anyway to get this fixed ?

Here is the configuration of vhosts :

server {
       listen  443  ;
        ssl on;
        server_name s4.mydomain.com;
        ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt;
        ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-
SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-
AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-
RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-
CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;

}}

server {
          listen 443  ;
          ssl on;
          server_name s4.yourdomain.com;
          ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt;
          ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key;
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-
SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-
AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-
RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-
CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
        location / {
            root   /yourdomain;
            index index.html index.htm index.php;
}}

Any advice will be very much appreciated.

Thanks.
Shahzaib

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170804/2d8b058f/attachment.html>


More information about the nginx mailing list