Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

virtual hosts #18

Closed
Night1 opened this issue Feb 11, 2017 · 6 comments
Closed

virtual hosts #18

Night1 opened this issue Feb 11, 2017 · 6 comments

Comments

@Night1
Copy link

Night1 commented Feb 11, 2017
edited
Loading

Hey,
Thank you for your work on this module, I've come across an issue.

I got this working on a subdomain of mine on with a certificate issued for both root and a number of subdomains, it works fine on the subdomain, but not on the root domain, both share same SSL configuration in nginx only diffs are folders and proxies.

##hmm strange, when I move the commands to enable:
ssl_ct on;
ssl_ct_static_scts /etc/nginx/ssl/sct/;

to /etc/nginx/nginx.conf rather than each site in ../enabled-sites/
It works for all subdomains but not the root domain. any idea why this is?

I have two sites enabled, both share same certificate, while one only responds to apps.mydomain.com other responds to www.mydomain.com and mydomain.com

the lather of which is the only one not reporting back as working with SSL labs like the others "Certificate Transparency Yes (TLS extension)"
@Night1 Night1 closed this as completed Feb 11, 2017
@Night1 Night1 reopened this Feb 11, 2017
@grahamedgecombe
Copy link
Owner

What version of OpenSSL/nginx are you using?

@Night1
Copy link
Author

Night1 commented Feb 13, 2017

Hey,
I have two systems

nginx version: nginx/1.11.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.1.0c 10 Nov 2016
TLS SNI support enabled

and \

nginx version: nginx/1.11.9
built by gcc 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled

@Night1
Copy link
Author

Night1 commented Feb 13, 2017

There is also a bug when using TLSv1.3, the CT does not work at all.

Firefox reports 0 CT when using TLSv1.3 but does report when using TLSv1.2

this in on the

nginx version: nginx/1.11.9
built by gcc 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=/hom
e/night/Downloads/openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream --
with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic

@grahamedgecombe
Copy link
Owner

The first problem is probably the same issue as #13.

I'll take a look at the TLS 1.3 issue.

@Night1
Copy link
Author

Night1 commented Feb 13, 2017

Yeah It does look a lot like #13, so this one can be closed, or do you want to to remain open for TLS1.3?

Since SSLLabs fails to test TLS1.3 only, Firefox does report back no CT for my domains when it is on TLS1.3

@grahamedgecombe
Copy link
Owner

Closing (as it's covered by #13 and the new #21)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grahamedgecombe @Night1