proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?
francis at daoine.org
Tue Jun 2 15:27:28 UTC 2020
On Tue, Jun 02, 2020 at 12:51:55PM +0300, Sergey Kandaurov wrote:
> That means client provided TLS "server_name" extension (SNI),
> then requested a different origin in the Host header.
That suggests that if you choose to use "proxy_ssl_server_name on;",
then you almost certainly do not want to add your own "proxy_set_header
The nginx code probably should not try to check for (and reject) that
combination of directives-and-values; but might it be worth adding a
note to http://nginx.org/r/proxy_ssl_server_name to say that that other
directive is probably a bad idea, especially if you get a http 421 response
from your upstream?
Francis Daly francis at daoine.org
More information about the nginx