Comments (6)
To help me reproduce:
What version of nginx/openssl are you using?
Is it possible for you to provide the relevant snippets from the nginx config file?
from nginx-ct.
nginx 1.13.0
Openssl 1.0.2k
FreeBSD 11.0amd64
I'll provide nginx.conf and two vhosts. One is a rainloop install which requires a client cert. One is a mailman install which does not.
nginx.conf.txt
domain1.com.txt
domain2.conf.txt
from nginx-ct.
Same problem here.
nginx 1.13.0
openssl 1.1.0e
CentOS 7
The problem has been there for a long time. After commenting out relevant directives for nginx-ct, the problem has gone.
from nginx-ct.
I've not yet been able to reproduce this. A few more questions:
- Which version of nginx-ct are you using?
- Which web browser & version were you using? Does your browser support SNI? Does your browser support HTTP/2?
- Is your browser requesting the SCT extension? If so, does it work if you use a browser that doesn't request the SCT extension?
- Does it work if you close and re-open your browser before connecting to the vhost protected with a client certificate? (Thus ensuring there are no existing connections open.)
- Does it work if you use
openssl s_client
and type the HTTP request withHost:
header in manually? (You can use-serverinfo 18
to request the SCT extension, and-cert
/-key
to supply the client cert/key.) - What hostnames are defined in your server's certificate? e.g. are
tranquility.jlkmail.com
anddomain2.com
both in there? Are any others? Which one is duplicated in the CN? - Do you override
ssl_certificate
in any other virtual hosts? - Can you set the
error_log
to info level and check if you see a message saying 'client attempted to request the server name different from the one that was negotiated' or similar? Are there any other log messages of interest? - Wild guess, but what happens if you comment the call to
SSL_set_current_cert
inngx_ssl_ct_module.c
?
or alternatively, can you provide a minimal but complete nginx configuration demonstrating the issue with self-signed certs?
from nginx-ct.
I think this issue is caused by the incorrect handling of 421 response code from nginx, where the same connection is reused for different domains with different security settings in one ip address under http2. More details here: https://bugs.chromium.org/p/chromium/issues/detail?id=546991
I have removed the nginx-ct module, recompiled, and the same problem occurred again. So this is not related to nginx-ct.
from nginx-ct.
Okay, thanks. I'll close this but if someone does find evidence that nginx-ct is causing problems then please feel free to re-open.
from nginx-ct.
Related Issues (20)
- TLS 1.3 support HOT 1
- Automated tests
- This doesnโt compile against OpenSSL 1.1.1 branch draft-18 of TLS 1.3 HOT 3
- Detect does not work with dynamic mail and stream HOT 1
- Error whilst compiling nginx-ct with Openssl 1.1.1-dev (tls1.3-draft-18)
- Building with nginx 13.3.3 HOT 4
- No .so file found HOT 2
- Cann't build with this module HOT 1
- Mail and Stream ssl_ct modules not compiling? HOT 1
- Using ngx_mail_ssl_ct_module HOT 2
- Compile nginx (1.13.7) + openssl (tls1.3-draft-18) + nginx-ct HOT 2
- ngx_ssl_ct_module.so is not binary compatible HOT 2
- error with last chrome and openssl HOT 1
- What is sct files HOT 4
- generating errors with some older browsers. as result, page not displayed. HOT 1
- Variable support
- undefined symbol: ngx_modules HOT 1
- undefined symbol: SSL_CTX_add_custom_ext
- undefined symbol: ngx_ssl_ct_create_srv_conf HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-ct.