id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1871 Nginx will not accept the latter of two client certs if the subject is the same. johannes.gehrs.moia.io@… "Nginx will not accept the latter of two client certs if the subject is the same. This code is supposed to demonstrate this: https://github.com/johannes-gehrs/nginx-bug-2clientcerts Run `make certs` to create certificates. Run `make docker` to build and run a docker container which uses the certs. Then you can test like this: {{{ # This will work curl --insecure --cert ./client1.crt --key client1.key https://localhost:8443/index.html # This will fail curl --insecure --cert ./client2.crt --key client2.key https://localhost:8443/index.html }}} If you change the `subj` to be non-identical between both client certs in the Makefile, then both certs will be accepted. Our expectation would be that certificates with the same subject are both accepted. Our concrete use case is that all certificates issued bei AWS API Gateway have the same subject. So we currently cannot do zero downtime deployments when rotating the certs." defect closed major nginx-core 1.17.x invalid Linux 1f972dd0e65f 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 GNU/Linux "nginx version: nginx/1.17.4 built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.4/debian/debuild-base/nginx-1.17.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' "