Possible SSL "bug"

Igor Sysoev igor at sysoev.ru
Wed Aug 3 07:25:54 UTC 2011


On Tue, Aug 02, 2011 at 10:20:56PM -0400, Jim Ohlstein wrote:
> Hello,
> 
> Not sure if this is a browser issue or if it is an nginx issue.
> 
> When using SSL I have encountered a problem using my Android device with
> user agent "AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
> Safari/533.1". It seems the wrong SSL cert is being presented to just
> this one browser (that I can determine).
> 
> My config *was* as follows:
> 
> nginx.conf (A record for this server_name is 75.126.0.178):
> 
> ...
>     # HTTPS server
>     #
>     server {
>         listen [2607:f0d0:1001:2::3]:443;
>         listen       443;
>         server_name  mickey.jlkhosting.com;
> 
>         ssl                  on;
>         ssl_certificate     /etc/ssl/certs/jlkhosting_com.crt;
>         ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
> 
>         ssl_session_timeout  5m;
> 
>         ssl_protocols  SSLv3 TLSv1;
>         ssl_ciphers  HIGH:!ADH:!MD5;
>         ssl_prefer_server_ciphers   on;
> ...
> 
> 
> vhost jlkhosting.com (a record is 75.126.13.208):
> 
> ...
> server {
>     listen 443 ssl;
>     server_name jlkhosting.com;
> ...
>     ssl_protocols        SSLv3 TLSv1;
>     ssl_ciphers          HIGH:!ADH:!MD5;
>     ssl_certificate     /etc/ssl/certs/jlkhosting_com.crt;
>     ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
>     ssl_session_cache    shared:SSL:2m;
>     ssl_session_timeout  10m;
>     keepalive_timeout    70;
> ...
> 
> 
> vhost worldwartwozone.com (A record is 75.126.13.209):
> 
> server {
>     listen [2607:f0d0:1001:2::3]:80;
>     listen 80;
>     listen [2607:f0d0:1001:2::3]:443 ssl;
>     listen 443 ssl;
>     server_name worldwartwozone.com;
> ...
> 
>     ssl_protocols        SSLv3 TLSv1;
>     ssl_ciphers          HIGH:!ADH:!MD5;
>     ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
>     ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
>     ssl_session_cache    shared:SSL:2m;
>     ssl_session_timeout  10m;
>     keepalive_timeout    70;
> 
> 
> As you can see, all hosts are on different IP's. The certificate at
> /etc/ssl/certs/jlkhosting_com.crt is a wildcard for *.jlkhosting.com.
> 
> This arrangement works fine in (almost) all browsers. Attached are
> screenshots from Firefox which show the correct certificate being used.
> Today, I tried logging into worldwartwozone.com from my Android phone
> and received the errors in the third and fourth attachments. Clearly,
> the certificate that is being presented is the wrong one.
> 
> The fix is to tighten up the vhost configuration file to have it listen
> on only one IP as follows:
> 
> server {
>     listen [2607:f0d0:1001:2::3]:80;
>     listen 75.126.13.209:80;
>     listen [2607:f0d0:1001:2::3]:443 ssl;
>     listen 75.126.13.209:443 ssl;
>     server_name worldwartwozone.com;
> ...
> 
>     ssl_protocols        SSLv3 TLSv1;
>     ssl_ciphers          HIGH:!ADH:!MD5;
>     ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
>     ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
>     ssl_session_cache    shared:SSL:2m;
>     ssl_session_timeout  10m;
>     keepalive_timeout    70;
> ...
> 
> 
> However, I have never had to do this before. This is the only user agent
> for which I have had to make this adjustment. It worked fine on Firefox,
> Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
> Windows. It also worked properly on an iPhone 3GS that I tested. Using
> the specific IPv4 address works as you can see in the last attachment.

In your initial setup all https virtual servers were name-based:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers
The modern browsers can work with such sites using SNI:
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
It seems that you Android phone does not support SNI.
If a client supports SNI then in debug log you will see the line:
    SSL server name: "worldwartwozone.com"


-- 
Igor Sysoev



More information about the nginx mailing list