Possible SSL "bug"
Igor Sysoev
igor at sysoev.ru
Wed Aug 3 07:25:54 UTC 2011
On Tue, Aug 02, 2011 at 10:20:56PM -0400, Jim Ohlstein wrote:
> Hello,
>
> Not sure if this is a browser issue or if it is an nginx issue.
>
> When using SSL I have encountered a problem using my Android device with
> user agent "AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
> Safari/533.1". It seems the wrong SSL cert is being presented to just
> this one browser (that I can determine).
>
> My config *was* as follows:
>
> nginx.conf (A record for this server_name is 75.126.0.178):
>
> ...
> # HTTPS server
> #
> server {
> listen [2607:f0d0:1001:2::3]:443;
> listen 443;
> server_name mickey.jlkhosting.com;
>
> ssl on;
> ssl_certificate /etc/ssl/certs/jlkhosting_com.crt;
> ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
>
> ssl_session_timeout 5m;
>
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers HIGH:!ADH:!MD5;
> ssl_prefer_server_ciphers on;
> ...
>
>
> vhost jlkhosting.com (a record is 75.126.13.208):
>
> ...
> server {
> listen 443 ssl;
> server_name jlkhosting.com;
> ...
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers HIGH:!ADH:!MD5;
> ssl_certificate /etc/ssl/certs/jlkhosting_com.crt;
> ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
> ssl_session_cache shared:SSL:2m;
> ssl_session_timeout 10m;
> keepalive_timeout 70;
> ...
>
>
> vhost worldwartwozone.com (A record is 75.126.13.209):
>
> server {
> listen [2607:f0d0:1001:2::3]:80;
> listen 80;
> listen [2607:f0d0:1001:2::3]:443 ssl;
> listen 443 ssl;
> server_name worldwartwozone.com;
> ...
>
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers HIGH:!ADH:!MD5;
> ssl_certificate /etc/ssl/certs/worldwartwozone_com.crt;
> ssl_certificate_key /etc/ssl/certs/worldwartwozone_com.key;
> ssl_session_cache shared:SSL:2m;
> ssl_session_timeout 10m;
> keepalive_timeout 70;
>
>
> As you can see, all hosts are on different IP's. The certificate at
> /etc/ssl/certs/jlkhosting_com.crt is a wildcard for *.jlkhosting.com.
>
> This arrangement works fine in (almost) all browsers. Attached are
> screenshots from Firefox which show the correct certificate being used.
> Today, I tried logging into worldwartwozone.com from my Android phone
> and received the errors in the third and fourth attachments. Clearly,
> the certificate that is being presented is the wrong one.
>
> The fix is to tighten up the vhost configuration file to have it listen
> on only one IP as follows:
>
> server {
> listen [2607:f0d0:1001:2::3]:80;
> listen 75.126.13.209:80;
> listen [2607:f0d0:1001:2::3]:443 ssl;
> listen 75.126.13.209:443 ssl;
> server_name worldwartwozone.com;
> ...
>
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers HIGH:!ADH:!MD5;
> ssl_certificate /etc/ssl/certs/worldwartwozone_com.crt;
> ssl_certificate_key /etc/ssl/certs/worldwartwozone_com.key;
> ssl_session_cache shared:SSL:2m;
> ssl_session_timeout 10m;
> keepalive_timeout 70;
> ...
>
>
> However, I have never had to do this before. This is the only user agent
> for which I have had to make this adjustment. It worked fine on Firefox,
> Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
> Windows. It also worked properly on an iPhone 3GS that I tested. Using
> the specific IPv4 address works as you can see in the last attachment.
In your initial setup all https virtual servers were name-based:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers
The modern browsers can work with such sites using SNI:
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
It seems that you Android phone does not support SNI.
If a client supports SNI then in debug log you will see the line:
SSL server name: "worldwartwozone.com"
--
Igor Sysoev
More information about the nginx
mailing list