421 Response from nginx when certs and /path/to/scts defined in "http" and using client certificate about nginx-ct HOT 6 CLOSED

To help me reproduce:

What version of nginx/openssl are you using?
Is it possible for you to provide the relevant snippets from the nginx config file?

from nginx-ct.

nginx 1.13.0
Openssl 1.0.2k
FreeBSD 11.0amd64

I'll provide nginx.conf and two vhosts. One is a rainloop install which requires a client cert. One is a mailman install which does not.

nginx.conf.txt
domain1.com.txt
domain2.conf.txt

from nginx-ct.

Same problem here.
nginx 1.13.0
openssl 1.1.0e
CentOS 7

The problem has been there for a long time. After commenting out relevant directives for nginx-ct, the problem has gone.

from nginx-ct.

I've not yet been able to reproduce this. A few more questions:

• Which version of nginx-ct are you using?
• Which web browser & version were you using? Does your browser support SNI? Does your browser support HTTP/2?
• Is your browser requesting the SCT extension? If so, does it work if you use a browser that doesn't request the SCT extension?
• Does it work if you close and re-open your browser before connecting to the vhost protected with a client certificate? (Thus ensuring there are no existing connections open.)
• Does it work if you use openssl s_client and type the HTTP request with Host: header in manually? (You can use -serverinfo 18 to request the SCT extension, and -cert/-key to supply the client cert/key.)
• What hostnames are defined in your server's certificate? e.g. are tranquility.jlkmail.com and domain2.com both in there? Are any others? Which one is duplicated in the CN?
• Do you override ssl_certificate in any other virtual hosts?
• Can you set the error_log to info level and check if you see a message saying 'client attempted to request the server name different from the one that was negotiated' or similar? Are there any other log messages of interest?
• Wild guess, but what happens if you comment the call to SSL_set_current_cert in ngx_ssl_ct_module.c?

or alternatively, can you provide a minimal but complete nginx configuration demonstrating the issue with self-signed certs?

from nginx-ct.

I think this issue is caused by the incorrect handling of 421 response code from nginx, where the same connection is reused for different domains with different security settings in one ip address under http2. More details here: https://bugs.chromium.org/p/chromium/issues/detail?id=546991

I have removed the nginx-ct module, recompiled, and the same problem occurred again. So this is not related to nginx-ct.

from nginx-ct.

Okay, thanks. I'll close this but if someone does find evidence that nginx-ct is causing problems then please feel free to re-open.

from nginx-ct.