ssl_protocols per server?
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 16 13:01:08 UTC 2014
Hello!
On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote:
> listen 443 ssl spdy;
>
> Actually but sni is working fine sslabs reports the correct certs... just
> tells me SSLv3 is on in all when its only set for one of the domains...
> At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level
> and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the
> servers/domain I removed that for http block and now have the different
> "ssl_protocols" directive in the corresponding configs and sslabs reports
> the one defined in the first.
>
>
> If I change the order (sslv3 first) sslabs reports all servers/domains have
> sslv3 on but curl fails with "-sslv3" and the error is related to the cert
> name ... but I'm assuming that's just because sni is a TLS extension not
> SSL.. so it actually proves sslv3 is on when it shouldn't be!
When using SSLv3 to connect, settings of the default server{}
block will be used. This is because there is no SNI in SSLv3, and
hence SSL connection is established in the context of the default
server{} block. The appropriate server{} block is then selected
based on Host header in an http request, much like it used to work
with non-SNI virtual hosting and normal HTTP.
That is, by using the "ssl_protocols" directive you can only limit
use of SSLv3 for all servers on a particular listen socket, as due
to lack of SNI it doesn't make sense in non-default server{}
blocks.
If you want to limit use of SSLv3 for a particular server only,
you have two basic options:
- use a separate listen socket for this server (that is, use a
separate IP address);
- test $ssl_protocol variable during a http request processing and
return an error; something like
if ($ssl_protocol = "SSLv3") {
return 403;
}
will do the trick.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list