ssl_protocols per server?
Maxim Dounin
mdounin at mdounin.ru
Fri Nov 7 13:38:57 UTC 2014
Hello!
On Fri, Nov 07, 2014 at 04:23:58AM -0500, saravsars wrote:
> Hello
>
> >When using SSLv3 to connect, settings of the default server{}
> >block will be used. This is because there is no SNI in SSLv3, and
> >hence SSL connection is established in the context of the default
> >server{} block
>
> Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in
> effect.
In theory, this depends on the OpenSSL library behaviour and may
work as long as SNI is used - nginx does it's best to update all
SSL options on SNI callback.
With current OpenSSL code it doesn't seem to work though, as
protocols allowed are checked before SNI callback happens and not
rechecked afterwards. So yes, you are right - "ssl_protocols"
won't do anything good in non-default server{} blocks, even if SNI
is used.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list