No SNI support on multisite installation

I have an openresty server, latest, compiled with http_ssl. So I have
5 websites on the same IP, each one with a server block, a listen
statement XXXX:443 SSL; and its own server_name but when I test any of
the certificates (example https:// 3y3. us), the online analyzer
https://www.ssllabs.com/ssltest/ says that there is no SNI support,
"This site works only in browsers with SNI support."
" Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
Server Key and Certificate #1
Subjectssnode1.minixel.com
Fingerprint SHA256:
2c43df752c9f32a0b9072c9918c7f4064f215a75f321a3eed54f3ea53d377291
Pin SHA256: 0EYY9GZfp68L6vPN7Y0wSjXldFNAUDJBnJ3zFl+KhXs=Common
namesssnode1.minixel.comAlternative namesssnode1.minixel.com
MISMATCH.
Revocation status Good (not revoked)
Trusted No   NOT TRUSTED
Mozilla  Apple  Android  Java  Windows

so how do I avoid this issue? Is there anything missing in my
configuration? I need to use the same IP for every website.

If you only have one IP, then you cannot fix this.  SNI is what determines which certificate to serve for the request.  The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.

Sent from my Galaxy

-------- Original message --------
From: Saint Michael <venefax at gmail.com>
Date: 3/11/24 02:34 (GMT-05:00)
To: nginx at nginx.org
Subject: No SNI support on multisite installation

I have an openresty server, latest, compiled with http_ssl. So I have
5 websites on the same IP, each one with a server block, a listen
statement XXXX:443 SSL; and its own server_name but when I test any of
the certificates (example https:// 3y3. us), the online analyzer
https://www.ssllabs.com/ssltest/ says that there is no SNI support,
"This site works only in browsers with SNI support."
" Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
Server Key and Certificate #1
Subjectssnode1.minixel.com
Fingerprint SHA256:
2c43df752c9f32a0b9072c9918c7f4064f215a75f321a3eed54f3ea53d377291
Pin SHA256: 0EYY9GZfp68L6vPN7Y0wSjXldFNAUDJBnJ3zFl+KhXs=Common
namesssnode1.minixel.comAlternative namesssnode1.minixel.com
MISMATCH.
Revocation status Good (not revoked)
Trusted No   NOT TRUSTED
Mozilla  Apple  Android  Java  Windows

so how do I avoid this issue? Is there anything missing in my
configuration? I need to use the same IP for every website.
_______________________________________________
nginx mailing list
nginx at nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240315/5e9ebb87/attachment.htm>

On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx <nginx at nginx.org> wrote:
>
> If you only have one IP, then you cannot fix this.  SNI is what determines which certificate to serve for the request.  The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.

The real fix needs to be made in openrusty. SNI is a standard
extension. its about time openrusty properly support it.

Another way to fix it is, find a CA to issue a certificate that
includes all the domains in the Subject Alt Name. So the end entity
certificate issued would have, say, 10 or 12 different domains so the
same cert can be used for all the connections.

Google serves a cert like that for 'google.com', but they own all the
web properties.

$ openssl s_client -connect google.com:443 -servername google.com |
openssl x509 -text -noout

...
               DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS
:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DN
S:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in
, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.
au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.
com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr,
DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google
.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic
-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:
*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.c
n, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:r
ecaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS
:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.amppro
ject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:goo
gleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:
*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleo
ptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubl
eclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:dou
bleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick
.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-
cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*
.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-c
n.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safef
rame.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement
-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com,
DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googlefligh
ts-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*
.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DN
S:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, D
NS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg
.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS
:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.
com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.g
ooglecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.co
m, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, D
NS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be
, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn,
DNS:developers.android.google.cn, DNS:source.android.google.cn, DNS:developer.ch
rome.google.cn, DNS:web.developers.google.cn
...

Jeff

Jeffrey,

If I read OP's information right, the test they were seeing was that it says it needs SNI support and a number of browsers showed "No SNI support".  I know from testing OpenResty supports SNI.  That isn't the issue here I believe.

Sent from my Galaxy

-------- Original message --------
From: Jeffrey Walton <noloader at gmail.com>
Date: 3/15/24 14:24 (GMT-05:00)
To: nginx at nginx.org
Cc: Thomas Ward <teward at thomas-ward.net>
Subject: Re: No SNI support on multisite installation

On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx <nginx at nginx.org> wrote:
>
> If you only have one IP, then you cannot fix this.  SNI is what determines which certificate to serve for the request.  The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.

The real fix needs to be made in openrusty. SNI is a standard
extension. its about time openrusty properly support it.

Another way to fix it is, find a CA to issue a certificate that
includes all the domains in the Subject Alt Name. So the end entity
certificate issued would have, say, 10 or 12 different domains so the
same cert can be used for all the connections.

Google serves a cert like that for 'google.com', but they own all the
web properties.

$ openssl s_client -connect google.com:443 -servername google.com |
openssl x509 -text -noout

...
               DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS
:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DN
S:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in
, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.
au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.
com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr,
DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google
.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic
-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:
*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.c
n, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:r
ecaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS
:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.amppro
ject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:goo
gleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:
*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleo
ptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubl
eclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:dou
bleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick
.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-
cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*
.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-c
n.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safef
rame.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement
-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com,
DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googlefligh
ts-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*
.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DN
S:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, D
NS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg
.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS
:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.
com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.g
ooglecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.co
m, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, D
NS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be
, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn,
DNS:developers.android.google.cn, DNS:source.android.google.cn, DNS:developer.ch
rome.google.cn, DNS:web.developers.google.cn
...

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240315/7c5347b4/attachment-0001.htm>

On Fri, Mar 15, 2024 at 2:37 PM Thomas Ward <teward at thomas-ward.net> wrote:
>
> Jeffrey,
>
> If I read OP's information right, the test they were seeing was that it says it needs SNI support and a number of browsers showed "No SNI support".  I know from testing OpenResty supports SNI.  That isn't the issue here I believe.

My bad. After reading
<https://blog.openresty.com/en/edge-sni-proxy-application/>, it seemed
like openrusty did not have the native support for SNI. Or did not
have it enabled by default.

Jeff