Closed cyanide1959 closed 7 years ago
To help me reproduce:
What version of nginx/openssl are you using? Is it possible for you to provide the relevant snippets from the nginx config file?
nginx 1.13.0 Openssl 1.0.2k FreeBSD 11.0amd64
I'll provide nginx.conf and two vhosts. One is a rainloop install which requires a client cert. One is a mailman install which does not.
Same problem here. nginx 1.13.0 openssl 1.1.0e CentOS 7
The problem has been there for a long time. After commenting out relevant directives for nginx-ct, the problem has gone.
I've not yet been able to reproduce this. A few more questions:
openssl s_client
and type the HTTP request with Host:
header in manually? (You can use -serverinfo 18
to request the SCT extension, and -cert
/-key
to supply the client cert/key.)tranquility.jlkmail.com
and domain2.com
both in there? Are any others? Which one is duplicated in the CN?ssl_certificate
in any other virtual hosts?error_log
to info level and check if you see a message saying 'client attempted to request the server name different from the one that was negotiated' or similar? Are there any other log messages of interest?SSL_set_current_cert
in ngx_ssl_ct_module.c
?or alternatively, can you provide a minimal but complete nginx configuration demonstrating the issue with self-signed certs?
I think this issue is caused by the incorrect handling of 421 response code from nginx, where the same connection is reused for different domains with different security settings in one ip address under http2. More details here: https://bugs.chromium.org/p/chromium/issues/detail?id=546991
I have removed the nginx-ct module, recompiled, and the same problem occurred again. So this is not related to nginx-ct.
Okay, thanks. I'll close this but if someone does find evidence that nginx-ct is causing problems then please feel free to re-open.
Background: I have a multidomain cert from Letsencrypt which is used for all vhosts and is defined in http context, along with the path to scts. One vhost requires a client certificate, which is defined in the server context.
Result: all vhosts work as expected except for the one with a client certificate defined. That one gives an http 421 (Misdirected Request) response.
When the nginx-ct module is not loaded (and no scts are defined), that vhost works as expected.