#1601 closed defect (duplicate)
ssl default server must have a cert even if it's not being accessed
| Reported by: | https://stackoverflow.com/users/418966/cyker | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.12.x |
| Keywords: | Cc: | ||
| uname -a: | 4.17.6-200.fc28.x86_64 | ||
| nginx -V: |
nginx version: nginx/1.12.1
... TLS SNI support enabled |
||
Description
With this configuration:
server {
listen 443 ssl;
server_name a.com;
ssl_certificate a.cert;
ssl_certificate_key a.key;
}
server {
listen 443 ssl;
server_name b.com;
ssl_certificate b.cert;
ssl_certificate_key b.key;
}
server {
listen 443 default_server ssl;
...
}
When a client tries to connect to a.com, nginx will spawn an error:
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking
With SNI enabled, this is not very rational because the client clearly says it
wants a.com, which is defined in a separate block. Whether or not the default
server has a cert shouldn't matter.
If nginx requires every ssl block must have a cert, then it should enforce this
check at start time, not when a client tries to connect to a server.
This is exactly what has been done in 1.15.0, quote:
Changes with nginx 1.15.0 05 Jun 2018 *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the "listen" directive should be used instead. *) Change: now nginx detects missing SSL certificates during configuration testing when using the "ssl" parameter of the "listen" directive.