Opened 6 years ago
Closed 6 years ago
#1601 closed defect (duplicate)
ssl default server must have a cert even if it's not being accessed
Reported by: | https://stackoverflow.com/users/418966/cyker | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.12.x |
Keywords: | Cc: | ||
uname -a: | 4.17.6-200.fc28.x86_64 | ||
nginx -V: |
nginx version: nginx/1.12.1
... TLS SNI support enabled |
Description
With this configuration:
server {
listen 443 ssl;
server_name a.com;
ssl_certificate a.cert;
ssl_certificate_key a.key;
}
server {
listen 443 ssl;
server_name b.com;
ssl_certificate b.cert;
ssl_certificate_key b.key;
}
server {
listen 443 default_server ssl;
...
}
When a client tries to connect to a.com, nginx will spawn an error:
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking
With SNI enabled, this is not very rational because the client clearly says it
wants a.com, which is defined in a separate block. Whether or not the default
server has a cert shouldn't matter.
If nginx requires every ssl block must have a cert, then it should enforce this
check at start time, not when a client tries to connect to a server.
This is exactly what has been done in 1.15.0, quote:
See http://hg.nginx.org/nginx/rev/7f955d3b9a0d for details.