proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

[Francis Daly]

On Tue, Jun 02, 2020 at 12:51:55PM +0300, Sergey Kandaurov wrote:

Hi there,

> That means client provided TLS "server_name" extension (SNI),
> then requested a different origin in the Host header.

That suggests that if you choose to use "proxy_ssl_server_name on;",
then you almost certainly do not want to add your own "proxy_set_header
Host" value.

The nginx code probably should not try to check for (and reject) that
combination of directives-and-values; but might it be worth adding a
note to http://nginx.org/r/proxy_ssl_server_name to say that that other
directive is probably a bad idea, especially if you get a http 421 response
from your upstream?

Cheers,

	f
-- 
Francis Daly        francis at daoine.org