Opened 7 years ago

Closed 9 months ago

Last modified 6 months ago

#178 closed defect (fixed)

listen with ssl but missing ssl_certificate is not detected by nginx -t

Reported by: gunnlaugur@… Owned by: somebody
Priority: minor Milestone:
Component: nginx-core Version: 1.2.x
Keywords: Cc:
uname -a: Linux stimpy.datamarket.net 2.6.26-2-amd64 #1 SMP Wed Sep 21 03:36:44 UTC 2011 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.1 built by gcc 4.3.2 (Debian 4.3.2-1.1) TLS SNI support enabled configure arguments: --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-http_stub_status_module

Description

I just added the line:

listen 443 ssl;

to one of my extra (non-production) vhosts, but forgot to add the ssl_certificate and ssl_certificate_key.

That's my mistake. But nginx -t did not catch the mistake, and nginx -s reload did apply the changed configuration ... and our production site (which also has listen 443 ssl;) now failed all HTTPS requests with:

2012/06/15 17:21:35 [error] 18931#0: *2322994 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: xxx.xxx.xx.xxx, server: 0.0.0.0:443

Usually nginx does catch my config mistakes at parse time and thus prevents me from breaking things. I think it could and should have done so in this instance too.

Change History (6)

comment:1 Changed 3 years ago by mdounin

  • sensitive set to 0
  • Status changed from new to accepted

comment:2 Changed 2 years ago by mdounin

See also #1073.

comment:3 Changed 2 years ago by mdounin

See also #1107.

comment:4 Changed 9 months ago by Maxim Dounin <mdounin@…>

In 7269:7f955d3b9a0d/nginx:

SSL: detect "listen ... ssl" without certificates (ticket #178).

In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.

comment:5 Changed 9 months ago by mdounin

  • Resolution set to fixed
  • Status changed from accepted to closed

Fix committed.

comment:6 Changed 6 months ago by ru

See also #1601.

Note: See TracTickets for help on using tickets.