421 Response from nginx when certs and /path/to/scts defined in "http" and using client certificate

[cyanide1959]

Background: I have a multidomain cert from Letsencrypt which is used for all vhosts and is defined in http context, along with the path to scts. One vhost requires a client certificate, which is defined in the server context.

Result: all vhosts work as expected except for the one with a client certificate defined. That one gives an http 421 (Misdirected Request) response.

When the nginx-ct module is not loaded (and no scts are defined), that vhost works as expected.

[grahamedgecombe]

To help me reproduce:

What version of nginx/openssl are you using? Is it possible for you to provide the relevant snippets from the nginx config file?

[cyanide1959]

nginx 1.13.0 Openssl 1.0.2k FreeBSD 11.0amd64

I'll provide nginx.conf and two vhosts. One is a rainloop install which requires a client cert. One is a mailman install which does not.

nginx.conf.txt domain1.com.txt domain2.conf.txt

[alexyangjie]

Same problem here. nginx 1.13.0 openssl 1.1.0e CentOS 7

The problem has been there for a long time. After commenting out relevant directives for nginx-ct, the problem has gone.

[grahamedgecombe]

I've not yet been able to reproduce this. A few more questions:

• Which version of nginx-ct are you using?
• Which web browser & version were you using? Does your browser support SNI? Does your browser support HTTP/2?
• Is your browser requesting the SCT extension? If so, does it work if you use a browser that doesn't request the SCT extension?
• Does it work if you close and re-open your browser before connecting to the vhost protected with a client certificate? (Thus ensuring there are no existing connections open.)
• Does it work if you use openssl s_client and type the HTTP request with Host: header in manually? (You can use -serverinfo 18 to request the SCT extension, and -cert/-key to supply the client cert/key.)
• What hostnames are defined in your server's certificate? e.g. are tranquility.jlkmail.com and domain2.com both in there? Are any others? Which one is duplicated in the CN?
• Do you override ssl_certificate in any other virtual hosts?
• Can you set the error_log to info level and check if you see a message saying 'client attempted to request the server name different from the one that was negotiated' or similar? Are there any other log messages of interest?
• Wild guess, but what happens if you comment the call to SSL_set_current_cert in ngx_ssl_ct_module.c?

or alternatively, can you provide a minimal but complete nginx configuration demonstrating the issue with self-signed certs?

[alexyangjie]

I think this issue is caused by the incorrect handling of 421 response code from nginx, where the same connection is reused for different domains with different security settings in one ip address under http2. More details here: https://bugs.chromium.org/p/chromium/issues/detail?id=546991

I have removed the nginx-ct module, recompiled, and the same problem occurred again. So this is not related to nginx-ct.

[grahamedgecombe]

Okay, thanks. I'll close this but if someone does find evidence that nginx-ct is causing problems then please feel free to re-open.