proxy_ssl_verify error: 'upstream SSL certificate does not match "" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly francis at
Tue Jun 2 15:27:28 UTC 2020

On Tue, Jun 02, 2020 at 12:51:55PM +0300, Sergey Kandaurov wrote:

Hi there,

> That means client provided TLS "server_name" extension (SNI),
> then requested a different origin in the Host header.

That suggests that if you choose to use "proxy_ssl_server_name on;",
then you almost certainly do not want to add your own "proxy_set_header
Host" value.

The nginx code probably should not try to check for (and reject) that
combination of directives-and-values; but might it be worth adding a
note to to say that that other
directive is probably a bad idea, especially if you get a http 421 response
from your upstream?


Francis Daly        francis at

More information about the nginx mailing list