ERR_SPDY_PROTOCOL_ERROR Nginx !!

shahzaib mushtaq shahzaib.cb at gmail.com
Fri Aug 4 11:13:26 UTC 2017


Hi,

Guys is there anything i am missing with SSL for multiple vhosts due to
which the vhost Order is overlapping the other one ?

Shahzaib

On Fri, Aug 4, 2017 at 2:12 AM, shahzaib mushtaq <shahzaib.cb at gmail.com>
wrote:

> I've noticed that its related to the orders of virtual host files. For
> example if vhost of mydomain.com comes first than yourdomain.com then SSL
> CN (common name) for both domains will be *.mydomain.com.
>
> And if vhost of yourdomain.com comes before than mydomain.com then common
> name for both domains is yourdomain.com .
>
>
>
> On Fri, Aug 4, 2017 at 2:01 AM, shahzaib mushtaq <shahzaib.cb at gmail.com>
> wrote:
>
>> Update:
>>
>> Now i removed vhost for mydomain.com and yourdomain.com is now showing
>> correct Common name. So there's some kind of overlapping in vhosts.
>>
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
>> www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>> <#m_6887420271712490320_m_-2776267015937845177_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>> On Thu, Aug 3, 2017 at 9:13 PM, shahzaib mushtaq <shahzaib.cb at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> >>As far as I know, there are about half a dozen "latest" versions of
>>> Google Chrome, and none of them are version 64 currently.
>>>
>>> Your're right sorry, the version latest is 60.
>>>
>>>
>>> >>You have one client that reports an error message.What are the
>>> specific circumstances under which that version of that
>>> client can report that error message? That information may give a hint
>>> as to where the problem is.
>>>
>>> Well, i can generate this issue without a problem all i've to do is
>>> create a test.html page, put 5 x static video links (our server http2 mp4
>>> video links) and play them simultaneously. For the  first request they'll
>>> start playing with *200* status in inspect element under *Network *tab
>>> but for further chunk requests from chrome, it'll stuck in *pending *and
>>> under *Console *tab spdy error will start to occur. Once i've disabled
>>> HTTP2 that issue is gone but 'pending' status issue still was there which i
>>> think is linked with my below issue :
>>>
>>> ------------------------------------------------------------
>>> ----------------
>>>
>>> Now we think there's issue with one SSL certificate which we renewed
>>> recently. Our server has actually two different domain SSL certificates
>>> configured on same ip;
>>>
>>> *.mydomain.com
>>> *.yourdomain.com (*Renewed*)
>>>
>>> We've configured both these certificates vhosts in
>>> /usr/local/etc/nginx/vhosts/ directory. After installing certificate we
>>> tested it with sslshopper and both were installed properly (CN,
>>> Intermediate Chain etc were properly listed for each).
>>>
>>> Now here is the twist comes. Recently we've renewed the SSL certificate
>>> for **.yourdomain.com <http://yourdomain.com>* from *Godaddy *and after
>>> that sslshopper shows correct CN and intermediate chain for new certificate
>>> (*.yourdomain.com) but openssl is showing the CN of *.yourdomain.com as
>>> of *.mydomain.com.
>>>
>>> I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i
>>> use openssl command to verify it :
>>>
>>> [root at cw012 /usr/ports/security/ca_root_nss]#  openssl s_client
>>> -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust
>>> Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust
>>> Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O =
>>> GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = **.mydomain.com
>>> <http://mydomain.com>*
>>>
>>> Here you can see that CN is *.mydomain.com instead of *.yourdomain.com.
>>>
>>> ==============================================
>>>
>>> Now for testing i had disabled vhost for yourdomain.com and used only
>>> single mydomain.com after which requests for serving files improved
>>> drastically before that, if we would had hit a page, it'll first go to
>>> 'pending' status in chrome inspect element and after few time it'll show
>>> 200 status but now it goes directly to 200 status.
>>>
>>> I'm really confused on what's happening right now but if someone has
>>> faced this experience before please let me know, on first i thought there
>>> could be nginx config issue but the problem is SSLshopper and ssllabs are
>>> showing proper CName so now i think maybe its related to chrome
>>>
>>>
>>> Thanks for your help.
>>> Shahzaib
>>>
>>>
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
>>> www.avast.com
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>> <#m_6887420271712490320_m_-2776267015937845177_m_1565204697939808308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>
>>> On Thu, Aug 3, 2017 at 12:27 PM, Francis Daly <francis at daoine.org>
>>> wrote:
>>>
>>>> On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote:
>>>>
>>>> Hi there,
>>>>
>>>> > Thanks for response well i've tried lot more things, updated FreeBsd,
>>>> > updated openssl but issue is still there. Do you think is there any
>>>> > possibility it is linked with Nginx ?
>>>>
>>>> You have one client that reports an error message.
>>>>
>>>> What are the specific circumstances under which that version of that
>>>> client can report that error message? That information may give a hint
>>>> as to where the problem is.
>>>>
>>>> Is the problem repeatable? As in: if you do a fresh install with no
>>>> historical information of the client browser (a new "profile" or under
>>>> a new user account), do you see the same behaviour?
>>>>
>>>> In a later mail, you suggest that you have two test nginx instances,
>>>> and one client reports the error against one instance and not against
>>>> the other.
>>>>
>>>> "nginx -V" on each could be used to identify any differences in the
>>>> compile-time settings. "nginx -T" on each could be used to identify any
>>>> difference in the run-time configuration.
>>>>
>>>> > https://pastebin.com/gaVWfWJv
>>>> >
>>>> > >>There is more than one version of google chrome. Some web reports
>>>> suggest
>>>> > that SPDY support was going to be removed in version 51.
>>>> >
>>>> > Chrome version is 64 latest which has removed spdy and supports HTTP2
>>>> i
>>>> > guess.
>>>>
>>>> As far as I know, there are about half a dozen "latest" versions of
>>>> Google Chrome, and none of them are version 64 currently.
>>>>
>>>> If you ask for help in a Google Chrome mailing list, you may want to
>>>> provide the specific version number there to allow them to identify what
>>>> exactly you are running.
>>>>
>>>> Good luck with it,
>>>>
>>>>         f
>>>> --
>>>> Francis Daly        francis at daoine.org
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170804/8c83b25e/attachment-0001.html>


More information about the nginx mailing list