Opened 2 years ago

Closed 2 years ago

#1601 closed defect (duplicate)

ssl default server must have a cert even if it's not being accessed

Reported by: https://stackoverflow.com/users/418966/cyker Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.12.x
Keywords: Cc:
uname -a: 4.17.6-200.fc28.x86_64
nginx -V: nginx version: nginx/1.12.1
...
TLS SNI support enabled

Description

With this configuration:

server {

listen 443 ssl;
server_name a.com;
ssl_certificate a.cert;
ssl_certificate_key a.key;

}
server {

listen 443 ssl;
server_name b.com;
ssl_certificate b.cert;
ssl_certificate_key b.key;

}
server {

listen 443 default_server ssl;
...

}

When a client tries to connect to a.com, nginx will spawn an error:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

With SNI enabled, this is not very rational because the client clearly says it
wants a.com, which is defined in a separate block. Whether or not the default
server has a cert shouldn't matter.

If nginx requires every ssl block must have a cert, then it should enforce this
check at start time, not when a client tries to connect to a server.

Change History (2)

comment:1 by Ruslan Ermilov, 2 years ago

This is exactly what has been done in 1.15.0, quote:

Changes with nginx 1.15.0                                        05 Jun 2018

    *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
       "listen" directive should be used instead.

    *) Change: now nginx detects missing SSL certificates during
       configuration testing when using the "ssl" parameter of the "listen"
       directive.

See http://hg.nginx.org/nginx/rev/7f955d3b9a0d for details.

Last edited 2 years ago by Ruslan Ermilov (previous) (diff)

comment:2 by Ruslan Ermilov, 2 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #178.

Note: See TracTickets for help on using tickets.