How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev igor at sysoev.ru
Thu Jul 15 00:05:25 MSD 2010


On Wed, Jul 14, 2010 at 03:47:29PM -0300, Tiago Freire wrote:

> EV is a requirement because upper management wants the 'green bar'.
> 
> It is my understanding that Apache has a configuration option to force
> SNI-only SSL handshake, returning a (user-configurable I believe) error to
> the non-SNI clients, therefore it must be possible to customize the action
> taken about the presence (or absence) of the SNI header.
> 
> I am no expert of the bits and bytes, step-by-step of SSL, but from what I
> have read while researching, the SNI specfication dictates that at the
> beginning of the handshake to estabish the SSL connection the client would
> send the URL to which it wants to connect, which is the main ingredient for
> SNI to work. Lack of this would indicate a non-SNI connection handshake.
> 
> Apache can act on it, I thought nginx could be able to act on it too, that's
> why I am asking. If nginx does not currently have this functionality, I see
> value in implementing it, and that's what I would like to propose:
> 
> A way to detect and segregate SNI and non-SNI connections before the SSL
> handshake finishes (this must be possible because it is the very way SNI
> works), and give the nginx administrator configurable options to act upon
> the different connections: give an error on non-SNI connections, or send
> them to a different server, or just accept them in the first ssl server.

There is no way to say a browser something like 403 error or redirect before
SSL handshake finishes. If you mean Apache's "SSLStrictSNIVHostCheck on",
then it starts to work only after a browser has shown a message about
inappropriate certificate name, if you have several sites on single IP.

If you have the only server and want to enable SNI-only access, then
you can use:

     server {
         listen           443 default;
         server_name      _;
         ssl              on;
         ssl_certificate  one.site.cert;
         return           403;
     }

     server {
         listen           443;
         server_name      www.one.site;
         ssl              on;
         ssl_certificate  one.site.cert;
         ...
     }


> On Wed, Jul 14, 2010 at 2:01 PM, Alex Sergeyev <asergeyev at dyn.com> wrote:
> 
> > Tiago if (by any chance) your site names are in same domain - you may
> > consider non-EV but WILDCARD certificate for *.domain.tld
> >
> > Alex.
> >
> >
> > On Wed, 2010-07-14 at 13:17 -0300, Tiago Freire wrote:
> > > I was hoping that there would be a configuration option on nginx to
> > > either:
> > > 1) give a 403 error - or whatever error is best fit - when it detects
> > > non-SNI SSL handshake; or
> > > 2) redirect non-SNI SSL handshake traffic to a different virtual
> > > server.


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx mailing list