Welcome! Log In Create A New Profile

Advanced

SSL Multiple Vhost Overlapping common name [CN]

Posted by shahzaib mushtaq 
shahzaib mushtaq
SSL Multiple Vhost Overlapping common name [CN]
August 04, 2017 04:00PM
Hi,

Our Nginx server is configured with two different domain SSL certificates
configured on same ip ;

*.mydomain.com
*.yourdomain.com (Renewed)

We've configured both these certificates vhosts in
/usr/local/etc/nginx/vhosts/ directory. After installing certificate we
tested it with sslshopper and both were installed properly (CN,
Intermediate Chain etc were properly listed for each).

Now here comes the confusing part. Recently we've renewed the SSL
certificate for *.yourdomain.com from Godaddy and after installing it
sslshopper shows correct CN and intermediate chain for new certificate (*.
yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *.
yourdomain.com.

I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use
openssl command to verify it :

[root@cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect
s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c)
2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary
Certification Authority - G3verify return:1s_clidepth=1 C = US, O =
GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN =
*.mydomain.com

Here you can see that CN is *.mydomain.com instead of *.yourdomain.com.

We were also seeing so much delayed in serving the requests but once we
disabled one of the vhost, CN started to show correct domains and
performance was improved drastically.

To test it further with nginx we had reversed the order of virtual hosts
and moved domain virtualhost of yourdomain.com above the mydomain.com and
now CN for both (mydomain.com and yourdomain.com) is showing the *.
yourdomain.com. So we concluded that its due to order of the virtual hosts,
the vhost which comes before will overlap the CN for all other domains
comming beneath it.

Is there anyway to get this fixed ?

Here is the configuration of vhosts :

server {
listen 443 ;
ssl on;
server_name s4.mydomain.com;
ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt;
ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
location / {
root /yourdomain;
index index.html index.htm index.php;

}}

server {
listen 443 ;
ssl on;
server_name s4.yourdomain.com;
ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt;
ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
location / {
root /yourdomain;
index index.html index.htm index.php;
}}

Any advice will be very much appreciated.

Thanks.
Shahzaib
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Joshua Cooley
Re: SSL Multiple Vhost Overlapping common name [CN]
August 04, 2017 04:20PM
You'll need to pass the servername parameter for openssl s_client to pass
the SNI, e.g.

openssl s_client -servername s4.yourdomain.com -connect
s4.yourdomain.com:443

On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" <shahzaib.cb@gmail.com> wrote:

Hi,

Our Nginx server is configured with two different domain SSL certificates
configured on same ip ;

*.mydomain.com
*.yourdomain.com (Renewed)

We've configured both these certificates vhosts in
/usr/local/etc/nginx/vhosts/ directory. After installing certificate we
tested it with sslshopper and both were installed properly (CN,
Intermediate Chain etc were properly listed for each).

Now here comes the confusing part. Recently we've renewed the SSL
certificate for *.yourdomain.com from Godaddy and after installing it
sslshopper shows correct CN and intermediate chain for new certificate (*.
yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *.
yourdomain.com.

I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use
openssl command to verify it :

[root@cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect
s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c)
2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary
Certification Authority - G3verify return:1s_clidepth=1 C = US, O =
GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN =
*.mydomain.com

Here you can see that CN is *.mydomain.com instead of *.yourdomain.com.

We were also seeing so much delayed in serving the requests but once we
disabled one of the vhost, CN started to show correct domains and
performance was improved drastically.

To test it further with nginx we had reversed the order of virtual hosts
and moved domain virtualhost of yourdomain.com above the mydomain.com and
now CN for both (mydomain.com and yourdomain.com) is showing the *.
yourdomain.com. So we concluded that its due to order of the virtual hosts,
the vhost which comes before will overlap the CN for all other domains
comming beneath it.

Is there anyway to get this fixed ?

Here is the configuration of vhosts :

server {
listen 443 ;
ssl on;
server_name s4.mydomain.com;
ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt;
ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-
SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-
AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-
RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-
CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
location / {
root /yourdomain;
index index.html index.htm index.php;

}}

server {
listen 443 ;
ssl on;
server_name s4.yourdomain.com;
ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt;
ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-
SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-
AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-
RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-
CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
location / {
root /yourdomain;
index index.html index.htm index.php;
}}

Any advice will be very much appreciated.

Thanks.
Shahzaib

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login