<div dir="auto"><div><span style="font-family:"roboto slab",serif;font-size:16px;background-color:rgb(255,255,255)"> </span><span style="font-size:16px;background-color:rgb(255,255,255)"><font face="monospace, serif">You'll need to pass the servername parameter for openssl s_client to pass the SNI, e.g.</font></span></div><div dir="auto"><font face="monospace, serif"><span style="font-size:13.6px"><br></span></font></div><div dir="auto"><span style="font-family:sans-serif">openssl s_client -servername <a href="http://s4.yourdomain.com">s4.yourdomain.com</a> -connect </span><a href="http://s4.yourdomain.com:443/" style="font-family:sans-serif">s4.yourdomain.com:443</a><span style="font-family:sans-serif"> </span><font face="monospace, serif"><span style="font-size:13.6px"><br></span></font><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" <<a href="mailto:shahzaib.cb@gmail.com">shahzaib.cb@gmail.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div><br></div><div>Our Nginx server is configured with two different domain SSL certificates configured on same ip ; </div><div><br></div><div>*.<a href="http://mydomain.com" target="_blank">mydomain.com</a></div><div>*.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a> (Renewed)</div><div><br></div><div>We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). </div><div><br></div><div>Now here comes the confusing part. Recently we've renewed the SSL certificate for *.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a> from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a>) but openssl shows its CN as *.<a href="http://mydomain.com" target="_blank">mydomain.com</a> instead of *.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a>.</div><div><br></div><div>I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it :</div><div><br></div><div>[root@cw012 /usr/ports/security/ca_root_<wbr>nss]#  openssl s_client -connect <a href="http://s4.yourdomain.com:443" target="_blank">s4.yourdomain.com:443</a> |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.<a href="http://mydomain.com" target="_blank">mydomain.com</a></div><div><br></div><div>Here you can see that CN is *.<a href="http://mydomain.com" target="_blank">mydomain.com</a> instead of *.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a>. </div><div><br></div><div>We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically.</div><div><br></div><div>To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of <a href="http://yourdomain.com" target="_blank">yourdomain.com</a> above the <a href="http://mydomain.com" target="_blank">mydomain.com</a> and now CN for both (<a href="http://mydomain.com" target="_blank">mydomain.com</a> and <a href="http://yourdomain.com" target="_blank">yourdomain.com</a>) is showing the *.<a href="http://yourdomain.com" target="_blank">yourdomain.com</a>. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it.</div><div><br></div><div>Is there anyway to get this fixed ? </div><div><br></div><div>Here is the configuration of vhosts :</div><div><br></div><div>server {</div><div>       listen  443  ;</div><div>        ssl on;</div><div>        server_name <a href="http://s4.mydomain.com" target="_blank">s4.mydomain.com</a>;</div><div>        ssl_certificate /etc/ssl/certs/mydomain/<wbr>mydomain-combined.crt;    </div><div>        ssl_certificate_key /etc/ssl/certs/mydomain/<wbr>mydomain.key;    </div><div>        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</div><div>        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:<wbr>ECDHE-RSA-AES128-GCM-SHA256:<wbr>DHE-RSA-AES256-GCM-SHA384:DHE-<wbr>RSA-AES128-GCM-SHA256:ECDHE-<wbr>RSA-AES256-SHA384:ECDHE-RSA-<wbr>AES128-SHA256:ECDHE-RSA-<wbr>AES256-SHA:ECDHE-RSA-AES128-<wbr>SHA:DHE-RSA-AES256-SHA256:DHE-<wbr>RSA-AES128-SHA256:DHE-RSA-<wbr>AES256-SHA:DHE-RSA-AES128-SHA:<wbr>ECDHE-RSA-DES-CBC3-SHA:EDH-<wbr>RSA-DES-CBC3-SHA:AES256-GCM-<wbr>SHA384:AES128-GCM-SHA256:<wbr>AES256-SHA256:AES128-SHA256:<wbr>AES256-SHA:AES128-SHA:DES-<wbr>CBC3-SHA:HIGH:!aNULL:!eNULL:!<wbr>EXPORT:!CAMELLIA:!DES:!MD5:!<wbr>PSK:!RC4';       ssl_prefer_server_ciphers on;</div><div>        location / {</div><div>            root   /yourdomain;</div><div>            index index.html index.htm index.php;</div><div><br></div><div>}}</div><div><br></div><div>server {</div><div>          listen 443  ;</div><div>          ssl on;</div><div>          server_name <a href="http://s4.yourdomain.com" target="_blank">s4.yourdomain.com</a>;</div><div>          ssl_certificate /etc/ssl/certs/yourdomain/<wbr>yourdomain-combined.crt;</div><div>          ssl_certificate_key /etc/ssl/certs/yourdomain/<wbr>yourdomain.key;</div><div>          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</div><div>          ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:<wbr>ECDHE-RSA-AES128-GCM-SHA256:<wbr>DHE-RSA-AES256-GCM-SHA384:DHE-<wbr>RSA-AES128-GCM-SHA256:ECDHE-<wbr>RSA-AES256-SHA384:ECDHE-RSA-<wbr>AES128-SHA256:ECDHE-RSA-<wbr>AES256-SHA:ECDHE-RSA-AES128-<wbr>SHA:DHE-RSA-AES256-SHA256:DHE-<wbr>RSA-AES128-SHA256:DHE-RSA-<wbr>AES256-SHA:DHE-RSA-AES128-SHA:<wbr>ECDHE-RSA-DES-CBC3-SHA:EDH-<wbr>RSA-DES-CBC3-SHA:AES256-GCM-<wbr>SHA384:AES128-GCM-SHA256:<wbr>AES256-SHA256:AES128-SHA256:<wbr>AES256-SHA:AES128-SHA:DES-<wbr>CBC3-SHA:HIGH:!aNULL:!eNULL:!<wbr>EXPORT:!CAMELLIA:!DES:!MD5:!<wbr>PSK:!RC4';       ssl_prefer_server_ciphers on;</div><div>        location / {</div><div>            root   /yourdomain;</div><div>            index index.html index.htm index.php;</div><div>}}</div><div><br></div><div>Any advice will be very much appreciated.</div><div><br></div><div>Thanks.<font color="#888888"><br>Shahzaib</font></div></div>
<br>______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br></div></div></div>