You'll need to pass the servername parameter for openssl s_client to pass the SNI, e.g.
openssl s_client -servername s4.yourdomain.com -connect s4.yourdomain.com:443 On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" <[email protected]> wrote: Hi, Our Nginx server is configured with two different domain SSL certificates configured on same ip ; *.mydomain.com *.yourdomain.com (Renewed) We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). Now here comes the confusing part. Recently we've renewed the SSL certificate for *.yourdomain.com from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*. yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *. yourdomain.com. I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it : [root@cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.mydomain.com Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically. To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of yourdomain.com above the mydomain.com and now CN for both (mydomain.com and yourdomain.com) is showing the *. yourdomain.com. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it. Is there anyway to get this fixed ? Here is the configuration of vhosts : server { listen 443 ; ssl on; server_name s4.mydomain.com; ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt; ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE- RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA- AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES- CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} server { listen 443 ; ssl on; server_name s4.yourdomain.com; ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt; ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE- RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA- AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES- CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} Any advice will be very much appreciated. Thanks. Shahzaib _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
