ssl_protocols per server?

Maxim Dounin mdounin at mdounin.ru
Fri Nov 7 13:38:57 UTC 2014


Hello!

On Fri, Nov 07, 2014 at 04:23:58AM -0500, saravsars wrote:

> Hello
> 
> >When using SSLv3 to connect, settings of the default server{}
> >block will be used. This is because there is no SNI in SSLv3, and
> >hence SSL connection is established in the context of the default
> >server{} block
> 
> Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in
> effect.

In theory, this depends on the OpenSSL library behaviour and may 
work as long as SNI is used - nginx does it's best to update all 
SSL options on SNI callback.

With current OpenSSL code it doesn't seem to work though, as 
protocols allowed are checked before SNI callback happens and not 
rechecked afterwards.  So yes, you are right - "ssl_protocols" 
won't do anything good in non-default server{} blocks, even if SNI 
is used.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list