proxy_ssl_verify error: 'upstream SSL certificate does not match "" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin mdounin at
Tue Jun 2 19:22:06 UTC 2020


On Tue, Jun 02, 2020 at 04:27:28PM +0100, Francis Daly wrote:

> On Tue, Jun 02, 2020 at 12:51:55PM +0300, Sergey Kandaurov wrote:
> Hi there,
> > That means client provided TLS "server_name" extension (SNI),
> > then requested a different origin in the Host header.
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?

Not exactly.

The 421 Misdirected Request error is only returned 
when one tries to access a virtual server with SSL client 
certificate verification enabled, and used a different server name 
during the SSL handshake.  Normally one can use Host header which 
is different from the SNI server name, and this is often happens 
in real life (e.g., connection reuse in HTTP/2 implies requests to 
multiple hostnames via one connection).

That's more about being careful when configuring things, 
especially when configuring SSL.

Maxim Dounin

More information about the nginx mailing list