curl "Connection refused" caused by SSL config

Maxim Dounin mdounin at
Fri Mar 6 12:47:15 UTC 2015


On Thu, Mar 05, 2015 at 09:58:37PM -0500, Fry-kun wrote:

> So it looks like the ssl config is valid per-port only. If I set up a server
> on a different port with different ssl config, it works.
> Is this a bug or is it by design?

This is by design.  Before some protocol-specific handshake 
happens, it is not possible to tell which virtual server client is 
going to request.  Therefore, the default server context (and 
corresponding options) are used before the handshake.

In this particular case, you are trying to enable SSLv3 for a 
virtual server.   This is not possible at all even in theory: 
there is no SNI extension in SSLv3, and requested virtual server 
will be known only after reading an HTTP request.  But it won't be 
possible to send an HTTP request as SSLv3 is disabled in the 
default server, and therefore the SSL handshake will fail.

See here for some additional details about configuring SSL in 

Maxim Dounin

More information about the nginx mailing list