Possible SSL "bug"

Hello,

Not sure if this is a browser issue or if it is an nginx issue.

When using SSL I have encountered a problem using my Android device with
user agent “AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1”. It seems the wrong SSL cert is being presented to just
this one browser (that I can determine).

My config was as follows:

nginx.conf (A record for this server_name is 75.126.0.178):


# HTTPS server
#
server {
listen [2607:f0d0:1001:2::3]:443;
listen 443;
server_name mickey.jlkhosting.com;

    ssl                  on;
    ssl_certificate     /etc/ssl/certs/jlkhosting_com.crt;
    ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers   on;

vhost jlkhosting.com (a record is 75.126.13.208):


server {
listen 443 ssl;
server_name jlkhosting.com;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_certificate /etc/ssl/certs/jlkhosting_com.crt;
ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 10m;
keepalive_timeout 70;

vhost worldwartwozone.com (A record is 75.126.13.209):

server {
listen [2607:f0d0:1001:2::3]:80;
listen 80;
listen [2607:f0d0:1001:2::3]:443 ssl;
listen 443 ssl;
server_name worldwartwozone.com;

ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          HIGH:!ADH:!MD5;
ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
ssl_session_cache    shared:SSL:2m;
ssl_session_timeout  10m;
keepalive_timeout    70;

As you can see, all hosts are on different IP’s. The certificate at
/etc/ssl/certs/jlkhosting_com.crt is a wildcard for *.jlkhosting.com.

This arrangement works fine in (almost) all browsers. Attached are
screenshots from Firefox which show the correct certificate being used.
Today, I tried logging into worldwartwozone.com from my Android phone
and received the errors in the third and fourth attachments. Clearly,
the certificate that is being presented is the wrong one.

The fix is to tighten up the vhost configuration file to have it listen
on only one IP as follows:

server {
listen [2607:f0d0:1001:2::3]:80;
listen 75.126.13.209:80;
listen [2607:f0d0:1001:2::3]:443 ssl;
listen 75.126.13.209:443 ssl;
server_name worldwartwozone.com;

ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          HIGH:!ADH:!MD5;
ssl_certificate      /etc/ssl/certs/worldwartwozone_com.crt;
ssl_certificate_key  /etc/ssl/certs/worldwartwozone_com.key;
ssl_session_cache    shared:SSL:2m;
ssl_session_timeout  10m;
keepalive_timeout    70;

However, I have never had to do this before. This is the only user agent
for which I have had to make this adjustment. It worked fine on Firefox,
Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
Windows. It also worked properly on an iPhone 3GS that I tested. Using
the specific IPv4 address works as you can see in the last attachment.

nginx -V

nginx: nginx version: nginx/1.0.5
nginx: TLS SNI support enabled
nginx: configure arguments: --prefix=/usr/local/etc/nginx
–with-cc-opt=‘-I /usr/local/include’ --with-ld-opt=‘-L /usr/local/lib’
–conf-path=/usr/local/etc/nginx/nginx.conf
–sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
–error-log-path=/var/log/nginx-error.log --user=www --group=www
–with-file-aio --with-ipv6
–http-client-body-temp-path=/var/tmp/nginx/client_body_temp
–http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
–http-proxy-temp-path=/var/tmp/nginx/proxy_temp
–http-scgi-temp-path=/var/tmp/nginx/scgi_temp
–http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
–http-log-path=/var/log/nginx-access.log --with-http_flv_module
–add-module=/usr/ports/www/nginx-devel/work/nginx_mod_h264_streaming-2.2.7
–with-http_ssl_module --with-http_stub_status_module
–with-http_sub_module --with-pcre

On Tue, Aug 02, 2011 at 10:20:56PM -0400, Jim O. wrote:

    ssl                  on;

ssl_certificate_key /etc/ssl/certs/jlkhosting_com.key;
listen 80;
ssl_session_timeout  10m;

the certificate that is being presented is the wrong one.

However, I have never had to do this before. This is the only user agent
for which I have had to make this adjustment. It worked fine on Firefox,
Opera, Chrome, and Safari for Mac, and IE9, Firefox, and Chrome for
Windows. It also worked properly on an iPhone 3GS that I tested. Using
the specific IPv4 address works as you can see in the last attachment.

In your initial setup all https virtual servers were name-based:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers
The modern browsers can work with such sites using SNI:
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
It seems that you Android phone does not support SNI.
If a client supports SNI then in debug log you will see the line:
SSL server name: “worldwartwozone.com


Igor S.

On 8/3/11 3:25 AM, Igor S. wrote:

In your initial setup all https virtual servers were name-based:

http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

The modern browsers can work with such sites using SNI:
Configuring HTTPS servers
It seems that you Android phone does not support SNI.
If a client supports SNI then in debug log you will see the line:
SSL server name: “worldwartwozone.com

Thank you Igor. I have confirmed that this is the case. I would have
thought that Android OS provided a “modern” browser.


Jim O.