proxy_ssl_verify error: 'upstream SSL certificate does not match "" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Sergey Kandaurov pluknet at
Tue Jun 2 09:51:55 UTC 2020

> On 2 Jun 2020, at 07:58, PGNet Dev < at> wrote:
> 	2020/06/02 00:50:08 [info] 20166#20166: *3 client attempted to request the server name different from the one that was negotiated while reading client request headers, client:, server:, request: "GET /app1 HTTP/1.1", host: ""
> now, need to stare at this and try to figure out 'why?'

That means client provided TLS "server_name" extension (SNI),
then requested a different origin in the Host header.

In your case, the mangled name "" (via SNI)
didn't match another mangled name "" (in Host).

For the formal specification, see the last paragraph in RFC 6066, section-3:

   If an application negotiates a server name using an application
   protocol and then upgrades to TLS, and if a server_name extension is
   sent, then the extension SHOULD contain the same name that was
   negotiated in the application protocol.  If the server_name is
   established in the TLS session handshake, the client SHOULD NOT
   attempt to request a different server name at the application layer.

421 is defined for such cases in HTTP.

Sergey Kandaurov

More information about the nginx mailing list