proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 2 23:12:41 UTC 2020
Hello!
On Tue, Jun 02, 2020 at 01:01:18PM -0700, PGNet Dev wrote:
> On 6/2/20 12:34 PM, Maxim Dounin wrote:
> > The mis-match comes from trying to redefine the name in some parts
> > of the configuration but not others. Hope the above explanation
> > helps.
>
> I've reread your comment
>
> That is, the name you've written in the proxy_pass directive is
> the actual hostname, and it will be used in the Host header when
> creating requests to upstream server. And it is also used in the
> proxy_ssl_name, so it will be used during SSL handshake for SNI
> and certificate verification.
>
> It's not just "an upstream name". If you want it to be only an
> upstream name, you'll have to redefine at least proxy_ssl_name and
> "proxy_set_header Host". (Well, not really, since $proxy_host is
> also used at least in the proxy_cache_key, but this is probably
> not that important.)
>
> a bunch of times. Still can't grasp it clearly. Which is the source of the pebkac :-/
Read: if you want to use an internal upstream name in proxy_pass,
consider using _both_ "proxy_ssl_name" and "proxy_set_header
Host", for example:
proxy_pass https://test-upstream;
proxy_set_header Host test.example.com;
proxy_ssl_name test.example.com;
There are few other places where the hostname from the proxy_pass
directive is used, but the probably aren't that important.
> Otoh, simply _doing_
>
> Alternatively, you may want to use the real name, and define an
> upstream{} block with that name. This way you won't need to
> redefine anything.
>
> i.e., changing to EITHER
[...]
> now, in _either_ case, access to
>
> https://example.com/app1
> https://example.com/app1/
>
> _does_ return my 'test' app correctly
So everything is fine, as expected.
> i _do_ see in logs
>
> in case (2), a single error instance,
>
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 reusable connection: 1
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 http wait request handler
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 malloc: 0000563CDA76DF10:1024
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_read: 345
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_read: -1
> ??? 2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_get_error: 2
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 reusable connection: 0
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 posix_memalign: 0000563CDA2963A0:4096 @16
> 2020/06/02 12:51:11 [debug] 6140#6140: *3 posix_memalign: 0000563CDA650060:4096 @16
>
> &
>
> in case (1), a double error instance
>
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read_early_data: 2, 0
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_do_handshake: 1
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL: TLSv1.2, cipher: "ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD"
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 reusable connection: 1
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 http wait request handler
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 malloc: 0000563C0F2ADAB0:1024
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: -1
> ??? 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_get_error: 2
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 free: 0000563C0F2ADAB0
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 http wait request handler
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 malloc: 0000563C0F2ADAB0:1024
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: 339
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: -1
> ??? 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_get_error: 2
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 reusable connection: 0
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 posix_memalign: 0000563C0F18FA60:4096 @16
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 posix_memalign: 0000563C0EDD4B10:4096 @16
> 2020/06/02 12:53:46 [debug] 6267#6267: *6 http process request line
>
>
> but that error doesn't seem to be fatal.
>
> any idea what's causing those^^ errors?
These aren't errors, these are debug messages. The
SSL_get_error() return code 2 means SSL_ERROR_WANT_READ, that is,
SSL_read() consumed all the data from the socket and needs more
data to read further. These messages are perfectly normal and
expected.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list