How to hide/delete No SNI Certificate in Nginx?

Arturo · 2018-05-31 13:44:20 UTC

I have 2 domains hi.com and hello.com using one IP 234.235.236.237

If I check domain hi.com in ssllabs.com I see 1 certificate, nice.

But, if I check domain hello.com in ssllabs.com I see 2 certificate:

Certificate #1: EC 256 bits (SHA256withRSA)
SCR: https://i.stack.imgur.com/EM7tz.png

Certificate #2: EC 256 bits (SHA256withRSA)

If I add to Nginx, hi.com and hello.com not work.

server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name _;
    return 444;
}

How to disable or delete Certificate #2 No SNI?

sahsanu · 2018-05-31 14:16:19 UTC

Hi @Arturo,

If you want to use a ssl server block you need to specify a cert and a private key, you could create a self-signed certificate and use it as your default server so No SNI connections will reach this fake cert… or you can use the approach you are already using right now (with your real domain names oxxxxxx.club and kxxxxx.club) and it is use different ips for each domain.

Cheers,
sahsanu

tob · 2018-05-31 14:23:16 UTC

I use haproxy as “SNI-Router”, to decide which connection goes to which service. Simply define no default, then a non-SNI-connection will be dropped without presenting a certificate.

Arturo · 2018-05-31 15:58:49 UTC

Hi @sahsanu, thanks for the answer.

Oh, you see real domains =)

Arturo · 2018-05-31 16:11:42 UTC

Now my 2 domains have Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

It`s normal?

stevenzhu · 2018-05-31 16:24:35 UTC

Hi,

If you want more people to help you… You would need to share us your real domain name since we can’t help if we know nothing about this server specific error.

Thank you

Arturo · 2018-05-31 16:29:46 UTC

Hi @stevenzhu, my main Certificate #1 letsencrypt nice work.

This is fake cert.
~# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"

server {
    listen 443 default_server;
    listen [::]:443 default_server;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return 444;
}

Is it okay to use such a certificate?

tdelmas · 2018-05-31 20:22:44 UTC

As your server returns an error 444

return 444;

It doesn’t really matter if the certificate is valid or not.

The “No SNI” case it only for old Browsers who doesn’t use the SNI mecanism.

If you want to block these browsers, it’s fine.

If you prefer to allow them, you should present a valid certificate (and if possible the one of your most visited domain) :

if the browser wanted to visits a domain present in the certificate, it will works
if the browser wanted to visits another domain of your server, he will encounter a (probably by-passable error), as with many other websites.

According to https://caniuse.com/#feat=sni 97.4% of visitors have Browsers with SNI support.

stevenzhu · 2018-05-31 20:27:02 UTC

Normally only XP (and below), Android 4.2?( And below), iPhone (some version) has no SNI support.

So that seems to be a minor impact for me… (Since Major websites won’t allow you to use with XP now…)

Thank you

rg305 · 2018-06-01 00:08:08 UTC

If you have multiple IPs, then one IP per site would work best.
Otherwise…
If your directories were structured with all customer sites being subfolders to a common branch…
Like:
/provider/
/provider/company1.site
/provider/company2.site
(or you could do some aliasing within the vhost configs - but that would overcomplicate this example)

You could setup your vhost configs:

---
servername IP
serveralias _default_ #use appropriate default equivalent string
documentroot /provider/
sslcertificatefile /etc/letsencrypt/live/SAN/cert.pem #SAN would include all the names
---
servername provider
documentroot /provider/
sslcertificatefile /etc/letsencrypt/live/provider/cert.pem
---
servername company1.site
documentroot /provider/company1.site/
sslcertificatefile /etc/letsencrypt/live/company1.site/cert.pem
---
servername company2.site
documentroot /provider/company2.site/
sslcertificatefile /etc/letsencrypt/live/company2.site/cert.pem
---

So that:

http://IP/ or http://provider/
shows content at: /provider/

http://company1.site/ or http://provider/company1.site/ or http://IP/company1.site/
shows content at: /provider/company1.site/

http://company2.site/ or http://provider/company2.site/ or http://IP/company2.site/
shows content at: /provider/company2.site/

system · 2018-07-01 00:08:13 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.