proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 2 19:22:06 UTC 2020
Hello!
On Tue, Jun 02, 2020 at 04:27:28PM +0100, Francis Daly wrote:
> On Tue, Jun 02, 2020 at 12:51:55PM +0300, Sergey Kandaurov wrote:
>
> Hi there,
>
> > That means client provided TLS "server_name" extension (SNI),
> > then requested a different origin in the Host header.
>
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
>
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?
Not exactly.
The 421 Misdirected Request error is only returned
when one tries to access a virtual server with SSL client
certificate verification enabled, and used a different server name
during the SSL handshake. Normally one can use Host header which
is different from the SNI server name, and this is often happens
in real life (e.g., connection reuse in HTTP/2 implies requests to
multiple hostnames via one connection).
That's more about being careful when configuring things,
especially when configuring SSL.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list