id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1871	Nginx will not accept the latter of two client certs if the subject is the same.	johannes.gehrs.moia.io@…		"Nginx will not accept the latter of two client certs if the subject is the same.

This code is supposed to demonstrate this: https://github.com/johannes-gehrs/nginx-bug-2clientcerts

Run `make certs` to create certificates. Run `make docker` to build and run a docker container which
uses the certs.

Then you can test like this:

{{{
# This will work
curl --insecure --cert ./client1.crt  --key client1.key  https://localhost:8443/index.html
# This will fail
curl --insecure --cert ./client2.crt  --key client2.key  https://localhost:8443/index.html
}}}


If you change the `subj` to be non-identical between both client certs in the Makefile, then both certs
will be accepted.

Our expectation would be that certificates with the same subject are both accepted.

Our concrete use case is that all certificates issued bei AWS API Gateway have the same subject. So we currently cannot do zero downtime deployments when rotating the certs."	defect	closed	major		nginx-core	1.17.x	invalid			Linux 1f972dd0e65f 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 GNU/Linux	"nginx version: nginx/1.17.4
built by gcc 8.3.0 (Debian 8.3.0-6) 
built with OpenSSL 1.1.1c  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.4/debian/debuild-base/nginx-1.17.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
"