Opened 16 months ago

Last modified 15 months ago

#2148 accepted enhancement

Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress — at Version 1

Reported by: gavriluk@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.16.x
Keywords: Cc: gavriluk@…
uname -a: Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl

Description (last modified by gavriluk@…)

Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress

location config:
proxy_pass https://10.10.10.10:8443;
proxy_ssl_certificate /nginx/certs/chain.pem;
proxy_ssl_certificate_key /nginx/certs/client.key;
proxy_ssl_trusted_certificate /nginx/certs/proxied_server.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

When specifies
proxy_pass https://10.10.10.10:8443;
there is an error in error.log and 502 Bad gateway in curl

2021/03/09 23:22:34 [error] 18566#0: *1 upstream SSL certificate does not match "10.10.10.10" while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://10.10.10.10:8443/", host: "localhost"

but when specifies
proxy_pass https://somehost:8443;
then it works

certificate:
$> openssl x509 -text -in /nginx/certs/proxied_server.pem
...
X509v3 Subject Alternative Name:

DNS:somehost, IP Address:10.10.10.10

...

Change History (1)

comment:1 by gavriluk@…, 16 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.