correct Nginx Unix SNI usage? getting error "SSL_get_servername() returned NULL in server name callback"

Bill bill14653 at protonmail.com
Sun Jun 13 20:34:01 UTC 2021 

Hi,

I installed

	unit version: 1.24.0

It's behind a Nginx reverse proxy

	upstream UNIT { server 127.0.0.1:12345; }
	server {
		server_name example.com;
		location /testA {
			proxy_pass https://UNIT/testB;
			proxy_ssl_name example1.com;
			proxy_ssl_certificate         "/www/example1.com.client.crt";
			proxy_ssl_certificate_key     "/www/example1.com.client.key";
			...
		}
		location /testB {
			proxy_pass https://UNIT/testB;
			proxy_ssl_name example2.com;
			proxy_ssl_certificate         "/www/example2.com.client.crt";
			proxy_ssl_certificate_key     "/www/example2.com.client.key";
			...
		}
		...

I want to setup ssl for SNI.

I watched Timo Stark's

	NGINX Unit 1.23 - SNI Deep Dive
	 https://www.youtube.com/watch?v=absaan-8y1Q

which was the best, and only, 'documentation' I could find that actually mentions the new SNI usage.

My certs are good, and work great in Nginx, front and/or backends.

For unit, I created server cert bundles, and uploaded them to Unit config

	{
		"certificates": {
			"example1.com.server": {
				"key": "ECDH",
				"chain": [
					{
						"subject": {
							"common_name": "example1.com",
							"alt_names": [
								"example1.com",
								"www.example1.com"
							],

							"country": "US",
							...
			},

			"example2.com.server": {
				"key": "ECDH",
				"chain": [
					{
						"subject": {
							"common_name": "example2.com",
							"alt_names": [
								"example2.com",
								"www.example2.com"
							],

							"country": "US",
							...
		},

and the listener is configured for SNI with both certs

		"config": {
			"listeners": {
				"127.0.0.1:12345": {
					"pass": "routes/main",
					"tls": {
						"certificate": [
							"example1.com.server",
							"example2.com.server"
						],

						"conf_commands": {
							"minprotocol": "TLSv1.3",
							"ciphersuites": "TLS_CHACHA20_POLY1305_SHA256"
						}
					}
				}
			},

			"routes": {
			...
	}


when I access

	https://example.com/testA

I get in the log

	==> /var/log/www/unit.log <==
	2021/06/13 15:46:20 [alert] 35036#35041 *21 SSL_get_servername() returned NULL in server name callback

	==> /var/log/www/nginx.error.log <==
	2021/06/13 15:46:20 [crit] 29271#29271: *30 SSL_do_handshake() failed (SSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: fe80::5ec:3ecf:dd74:fa2e, server: example.com, request: "GET /testA HTTP/2.0", upstream: "https://127.0.0.1:12345/testA", host: "example.com"
	2021/06/13 15:46:20 [warn] 29271#29271: *30 upstream server temporarily disabled while SSL handshaking to upstream, client: fe80::5ec:3ecf:dd74:fa2e, server: example.com, request: "GET /testA HTTP/2.0", upstream: "https://127.0.0.1:12345/testA", host: "example.com"

	==> /var/log/www/unit.log <==
	2021/06/13 15:46:20 [alert] 35036#35041 *21 SSL_do_handshake(97) failed (234: callback failed) (OpenSSL: error:1422E0EA:SSL routines:final_server_name:callback failed)

Since my certs are fine with SNI in Nginx I'm sure it's my wrong usage for Unit.

What in, or missing from, from config is causing that "NULL in server name callback" error?

Bill

More information about the unit mailing list