How to force SNI only connections, or have a fallback non-SNI server?
igor at sysoev.ru
Wed Jul 14 20:49:16 MSD 2010
On Wed, Jul 14, 2010 at 01:17:57PM -0300, Tiago Freire wrote:
> I was hoping that there would be a configuration option on nginx to either:
> 1) give a 403 error - or whatever error is best fit - when it detects
> non-SNI SSL handshake; or
> 2) redirect non-SNI SSL handshake traffic to a different virtual server.
> Is this list the best place to suggest nginx features?
I do not understand the reason why do you want to detect non-SNI connections.
If you want to avoid browser message about inappropriate certificate, then
this is not allowed by SSL protocol: before nginx may show 403 error or
send redirect to a client, the client must to establish SSL connection.
And certificate is indispensable thing during this process.
If you want to show 403 error or send redirect AFTER browser has shown
a message about inappropriate certificate, then you may try this configuration:
listen 443 default;
Non-SNI browsers will always get dummy.name.cert, show the message,
and get 403 error.
SNI-enabled browsers will get appropriate certificate and will go
to appropriate site.
> On Wed, Jul 14, 2010 at 4:30 AM, Igor Sysoev <igor at sysoev.ru> wrote:
> > On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:
> > > Hi,
> > >
> > > I have heard about nginx before, and I am now considering to use it for
> > > several reasons, perfomance is one of them.
> > >
> > > I have to put several servers with EV certificates behind a single IP
> > > though, and I noticed nginx supports SNI.
> > >
> > > I know that not all browsers support SNI, but we are developing web
> > > applications where we can give ourselves the luxury of being a bit picky
> > > about browser support.
> > >
> > > What was not clear in the documentation was: does enabling SNI support
> > > forces all connections to be SNI, or old browsers will still 'work'?
> > > I understood that old browsers would only be able to go to the default
> > > server.
> > >
> > > If running with SNI still accepts old browsers, is there a configuration
> > > option to force SNI-only connections?
> > >
> > > Otherwise, is there any way to segregate SNI and non-SNI connections and
> > > send them to different servers?
> > Regardless of server SNI support, old browsers get always certificate
> > of default server and they complain if a server name does not match
> > a certificate's server name. Theoretically after this you may redirect
> > them to an other server, but it's too late from user point of view.
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
> nginx mailing list
> nginx at nginx.org
More information about the nginx