ssl_protocols per server?
saravsars
nginx-forum at nginx.us
Fri Nov 7 09:23:58 UTC 2014
Hello
>When using SSLv3 to connect, settings of the default server{}
>block will be used. This is because there is no SNI in SSLv3, and
>hence SSL connection is established in the context of the default
>server{} block
Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in
effect.
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1.1 TLSv1.2;
}
server {
listen 443 ssl default_server;
server_name "";
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
openssl s_client -connect a.example.com:443 -servername a.example.com -tls1
(success)
TLSv1 is disabled in a.example.com but TLSv1 request is successful.
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
server {
listen 443 ssl default_server;
server_name "";
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1.2;
}
openssl s_client -connect a.example.com:443 -servername a.example.com
-tls1_1 (failed)
TLSv1, TLSv1.1, TLSv1.2 is enabled for a.example.com but TLSv1 and TLSv1.1
requests get failed.
So, even with SNI clients default_server "ssl_protocols" is only selected.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254016,254661#msg-254661
More information about the nginx
mailing list