ssl_protocols & SNI

Frank Liu gfrankliu at gmail.com
Fri Feb 10 23:18:14 UTC 2017 

Hi Maxim,

Thanks for explaining why overloading ssl_protocols won't work. Since the
problem is with how OpenSSL works, will it work if we use other openssl
alternatives? I see people reporting boringssl and libressl work fine with
nginx. Does nginx still need to be modified to support overloading
ssl_protocols or is it just a matter of library switch?

Thanks!
Frank



On Thu, Jan 19, 2017 at 5:36 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>
> > Hello,
> >
> > I tried to overload the value of my default ssl_protocols (http block
> > level) in a server block.
> > It did not seem to apply the other value in this virtuel server only.
> >
> > Since I use SNI on my OpenSSL implementation, which perfectly works to
> > support multiple virtual servers, I wonder why this SNI capability isn't
> > leveraged to apply different TLS environment depending on the SNI value
> and
> > the TLS directives configured for the virtual server of the asked domain.
> > Can SNI be used for other TLS configuration directives other than
> > certificates?
> >
> > More generally, is it normal you cannot overload directives such as
> > ssl_protocols or ssl_ciphers in a specific virtual server, using the same
> > socket as others?
> > If positive, would it be possible to use SNI to tweak TLS connections
> > envrionment depending on domain?
>
> You can overload ssl_ciphers.  You can't overload ssl_protocols
> because OpenSSL works this way: it selects the protocol used
> before SNI callback (and this behaviour looks more or less natural
> beacause the existance of SNI depends on the protocol used, and,
> for example, you can't enable SSLv3 in a SNI-based virtual host).
>
> In general, whether or not some SSL feature can be tweaked for
> SNI-based virtual hosts depends on two factors:
>
> - if it's at all possible;
> - how OpenSSL handles it.
>
> In some cases nginx also tries to provide per-virtualhost support
> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
> ssl_verify_depth, ssl_prefer_server_ciphers.
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170210/28678cb0/attachment-0001.html>

More information about the nginx mailing list