There are two remarks for this example:
- While enabling HTTP/3 I had to add the ssl_certificate lines to the
default server, while using solely HTTP/2 this wasn't necessary. It will
throw an error on trying to start Nginx, is that a bug?
- The ssl_reject_handshake in the default server will prevent proper SNI
matching for domain.com. If I run `curl https://domain.com/` it works fine,
but `curl -k -H 'Host: domain.com' https://ipaddress-of-server/` does not.
When I remove ssl_reject_handshake it works as expected
My intent is to have a default server that responds to non-existing domain
names. Preferably it responds with 444, but requests over TLS (such as old
domains names with HTST) will throw a security warning that the server's
certificates don't match the request's virtual host's domain name (as
expected). Instead of showing a security warning in the browser I prefer a
connection error, which is why I want to employ ssl_reject_handshake.
Kind regards,
Taco de Wolff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240228/01a77c9d/attachment.htm>
Hello,
On Wed, 28 Feb 2024 21:45:37 -0300
Taco de Wolff <tacodewolff at gmail.com> wrote:
> Hi,
>
> I've noticed at least in 1.24.0 and 1.25.4 that adding an
> ssl_reject_handshake to the default server breaks SNI for other
> servers. Example:
>
> ```
> server {
> server_name _;
> listen 80 default_server;
> listen 443 default_server ssl;
> listen 443 default_server quic reuseport;
> listen [::]:80 default_server;
> listen [::]:443 default_server ssl;
> listen [::]:443 default_server quic reuseport;
>
> http2 on;
>
> # SSL
> ssl_certificate /etc/pki/lego/certificates/server.crt;
> ssl_certificate_key /etc/pki/lego/certificates/server.key;
> ssl_trusted_certificate /etc/pki/lego/certificates/server.crt;
> ssl_reject_handshake on;
>
> return 444;
> }
>
> server {
> server_name domain.com;
> listen 443 ssl;
> listen 443 quic;
> listen [::]:443 ssl;
> listen [::]:443 quic;
>
> http2 on;
>
> root /srv/www/html;
>
> # SSL
> ssl_certificate /etc/pki/lego/certificates/server.crt;
> ssl_certificate_key /etc/pki/lego/certificates/server.key;
> ssl_trusted_certificate /etc/pki/lego/certificates/server.crt;
>
> location / {
> try_files /index.html =404;
> }
> }
> ```
>
> There are two remarks for this example:
> - While enabling HTTP/3 I had to add the ssl_certificate lines to the
> default server, while using solely HTTP/2 this wasn't necessary. It
> will throw an error on trying to start Nginx, is that a bug?
TLS is mandatory for HTTP/3 (well, more accurately for QUIC).
https://stackoverflow.com/questions/72826710/quic-transfer-protocol-need-not-tls
> - The ssl_reject_handshake in the default server will prevent proper
> SNI matching for domain.com. If I run `curl https://domain.com/` it
> works fine, but `curl -k -H 'Host: domain.com'
> https://ipaddress-of-server/` does not. When I remove
> ssl_reject_handshake it works as expected
>
If you curl an IP Address rather than an FQDN, curl will not include
SNI extension in client hello at all.
ssl_reject_handshake, as the name suggests, rejects TLS handshakes prior
to completion. Nginx cannot perform secondary search for correct server
block using host/authority header, as that would require first
completing handshake, and then parsing host/authority header.
> My intent is to have a default server that responds to non-existing
> domain names. Preferably it responds with 444, but requests over TLS
> (such as old domains names with HTST) will throw a security warning
> that the server's certificates don't match the request's virtual
> host's domain name (as expected).
>
return 444; just a special return value that causes nginx to terminate
connection, nothing get's sent back to the client at all. return
directives (rewrite module more accurately) runs post TLS handshake
though. For default server TLS connections with your present
configuration - it will never get to that point.
Generally ssl_reject_hanshake is preferable for terminating connections
anyway, as it saves performing heavy TLS handshake.
The return 444 is still relevant for plain text connections that reach
your default server though, so I'd recommend still keeping it.
> Instead of showing a security warning in the browser I prefer a
> connection error, which is why I want to employ ssl_reject_handshake.
Your present configuration should work fine then.
> Kind regards,
> Taco de Wolff
Thank you Jordan for the response.
Including the SNI information in cURL works, thank you. I wasn't aware this
was so very different from TCP/HTTP2.
The point I was trying to make about the ssl_certificate options to be
mandatory, is that HTTP/2 also requires SSL but recognizes that when
ssl_reject_handshake=on it doesn't need the certificate. For HTTP/3 it
doesn't seem to recognize that it doesn't need the certificate since it
will reject handshakes anyways.
Kind regards,
Taco de Wolff
Op vr 1 mrt 2024 om 05:20 schreef J Carter <jordanc.carter at outlook.com>:
> Hello,
>
> On Wed, 28 Feb 2024 21:45:37 -0300
> Taco de Wolff <tacodewolff at gmail.com> wrote:
>
> > Hi,
> >
> > I've noticed at least in 1.24.0 and 1.25.4 that adding an
> > ssl_reject_handshake to the default server breaks SNI for other
> > servers. Example:
> >
> > ```
> > server {
> > server_name _;
> > listen 80 default_server;
> > listen 443 default_server ssl;
> > listen 443 default_server quic reuseport;
> > listen [::]:80 default_server;
> > listen [::]:443 default_server ssl;
> > listen [::]:443 default_server quic reuseport;
> >
> > http2 on;
> >
> > # SSL
> > ssl_certificate /etc/pki/lego/certificates/server.crt;
> > ssl_certificate_key /etc/pki/lego/certificates/server.key;
> > ssl_trusted_certificate /etc/pki/lego/certificates/server.crt;
> > ssl_reject_handshake on;
> >
> > return 444;
> > }
> >
> > server {
> > server_name domain.com;
> > listen 443 ssl;
> > listen 443 quic;
> > listen [::]:443 ssl;
> > listen [::]:443 quic;
> >
> > http2 on;
> >
> > root /srv/www/html;
> >
> > # SSL
> > ssl_certificate /etc/pki/lego/certificates/server.crt;
> > ssl_certificate_key /etc/pki/lego/certificates/server.key;
> > ssl_trusted_certificate /etc/pki/lego/certificates/server.crt;
> >
> > location / {
> > try_files /index.html =404;
> > }
> > }
> > ```
> >
> > There are two remarks for this example:
> > - While enabling HTTP/3 I had to add the ssl_certificate lines to the
> > default server, while using solely HTTP/2 this wasn't necessary. It
> > will throw an error on trying to start Nginx, is that a bug?
>
> TLS is mandatory for HTTP/3 (well, more accurately for QUIC).
>
>
> https://stackoverflow.com/questions/72826710/quic-transfer-protocol-need-not-tls
>
> > - The ssl_reject_handshake in the default server will prevent proper
> > SNI matching for domain.com. If I run `curl https://domain.com/`
> <https://domain.com/> it
> > works fine, but `curl -k -H 'Host: domain.com'
> > https://ipaddress-of-server/` <https://ipaddress-of-server/> does not.
> When I remove
> > ssl_reject_handshake it works as expected
> >
>
> If you curl an IP Address rather than an FQDN, curl will not include
> SNI extension in client hello at all.
>
> ssl_reject_handshake, as the name suggests, rejects TLS handshakes prior
> to completion. Nginx cannot perform secondary search for correct server
> block using host/authority header, as that would require first
> completing handshake, and then parsing host/authority header.
>
> > My intent is to have a default server that responds to non-existing
> > domain names. Preferably it responds with 444, but requests over TLS
> > (such as old domains names with HTST) will throw a security warning
> > that the server's certificates don't match the request's virtual
> > host's domain name (as expected).
> >
>
> return 444; just a special return value that causes nginx to terminate
> connection, nothing get's sent back to the client at all. return
> directives (rewrite module more accurately) runs post TLS handshake
> though. For default server TLS connections with your present
> configuration - it will never get to that point.
>
> Generally ssl_reject_hanshake is preferable for terminating connections
> anyway, as it saves performing heavy TLS handshake.
>
> The return 444 is still relevant for plain text connections that reach
> your default server though, so I'd recommend still keeping it.
>
> > Instead of showing a security warning in the browser I prefer a
> > connection error, which is why I want to employ ssl_reject_handshake.
>
> Your present configuration should work fine then.
>
> > Kind regards,
> > Taco de Wolff
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240302/d151f3c1/attachment.htm>
Hello Taco,
On Sat, 2 Mar 2024 09:54:46 -0300
Taco de Wolff <tacodewolff at gmail.com> wrote:
> Thank you Jordan for the response.
>
No problem.
> Including the SNI information in cURL works, thank you. I wasn't aware this
> was so very different from TCP/HTTP2.
>
> The point I was trying to make about the ssl_certificate options to be
> mandatory, is that HTTP/2 also requires SSL
HTTP2 can be used without TLS by the way (called h2c), and this is also
implemented in nginx. With curl you can test it easily with
--http2-prior-knowledge flag against plain-text port.
The $http2 variable [1] can also be easily used to distinguish h2c vs
h2(with tls).
Of course, I doubt there is a lot of real world usage of h2c. Still, it can
be useful for testing :)
[1] https://nginx.org/en/docs/http/ngx_http_v2_module.html#variables
> but recognizes that when
> ssl_reject_handshake=on it doesn't need the certificate. For HTTP/3 it
> doesn't seem to recognize that it doesn't need the certificate since it
> will reject handshakes anyways.
I see, but when testing with exactly the configuration you posted, it
does not appear to require them in the default server (on 1.25.4). If I
remove ssl_certificate and ssl_certificate_key directives, it still
works...
1) Are you using any out of band patches in your nginx build (if self
built)?
2) Which TLS library are you using (openssl, boringssl, ect)?
3) Which OS?
Hi Jordan,
You are right, very sorry for the noise. Must have confounded the error
with the many changes I made at the same time. Thanks for your time!
Kind regards,
Taco de Wolff
Op za 2 mrt 2024 om 15:52 schreef J Carter <jordanc.carter at outlook.com>:
> Hello Taco,
>
> On Sat, 2 Mar 2024 09:54:46 -0300
> Taco de Wolff <tacodewolff at gmail.com> wrote:
>
> > Thank you Jordan for the response.
> >
>
> No problem.
>
> > Including the SNI information in cURL works, thank you. I wasn't aware
> this
> > was so very different from TCP/HTTP2.
> >
> > The point I was trying to make about the ssl_certificate options to be
> > mandatory, is that HTTP/2 also requires SSL
>
> HTTP2 can be used without TLS by the way (called h2c), and this is also
> implemented in nginx. With curl you can test it easily with
> --http2-prior-knowledge flag against plain-text port.
>
> The $http2 variable [1] can also be easily used to distinguish h2c vs
> h2(with tls).
>
> Of course, I doubt there is a lot of real world usage of h2c. Still, it
> can
> be useful for testing :)
>
> [1] https://nginx.org/en/docs/http/ngx_http_v2_module.html#variables
>
> > but recognizes that when
> > ssl_reject_handshake=on it doesn't need the certificate. For HTTP/3 it
> > doesn't seem to recognize that it doesn't need the certificate since it
> > will reject handshakes anyways.
>
> I see, but when testing with exactly the configuration you posted, it
> does not appear to require them in the default server (on 1.25.4). If I
> remove ssl_certificate and ssl_certificate_key directives, it still
> works...
>
> 1) Are you using any out of band patches in your nginx build (if self
> built)?
>
> 2) Which TLS library are you using (openssl, boringssl, ect)?
>
> 3) Which OS?
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240302/22c37427/attachment-0001.htm>
server { server_name _; listen 80 default_server; listen 443 default_server ssl; listen 443 default_server quic reuseport; listen [::]:80 default_server; listen [::]:443 default_server ssl; listen [::]:443 default_server quic reuseport;
}
server { server_name domain.com; listen 443 ssl; listen 443 quic; listen [::]:443 ssl; listen [::]:443 quic;
}