ssl_protocols & SNI
reallfqq-nginx at yahoo.fr
Mon Jan 23 19:50:35 UTC 2017
On Thu, Jan 19, 2017 at 7:07 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:
> There is something strange, though.
> I configured cipher suites with ssl_ciphers with suites from TLSv1.0 &
> TLSv1.2 (TLSv1.1 having no specific cipher suites but merely relying on
> thos from TLSv1.0).
> Those 3 protocols can be tested successfully when ssl_protocols is at its
> default value (TLSv1 TLSv1.1 TLSv1.2 since nginx v1.9.1).
> However, trying to remove TLSv1 (thus using TLSv1.1 TLSv1.2 for those who
> are following ^^), I cannot connect using neither TLSv1.0 nor TLSv1.1, only
> with TLSv1.2 a connection can be established.
> I am probably overlooking something... What is it?
> *B. R.*
> On Thu, Jan 19, 2017 at 3:28 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:
>> I acknowledge how that works, although OpenSSL providing more flexibility
>> over SNI for protocols supporting it would have been appreciated. Too bad.
>> Thanks Maxim for you always concise and straightforward discerning
>> *B. R.*
>> On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>>> > Hello,
>>> > I tried to overload the value of my default ssl_protocols (http block
>>> > level) in a server block.
>>> > It did not seem to apply the other value in this virtuel server only.
>>> > Since I use SNI on my OpenSSL implementation, which perfectly works to
>>> > support multiple virtual servers, I wonder why this SNI capability
>>> > leveraged to apply different TLS environment depending on the SNI
>>> value and
>>> > the TLS directives configured for the virtual server of the asked
>>> > Can SNI be used for other TLS configuration directives other than
>>> > certificates?
>>> > More generally, is it normal you cannot overload directives such as
>>> > ssl_protocols or ssl_ciphers in a specific virtual server, using the
>>> > socket as others?
>>> > If positive, would it be possible to use SNI to tweak TLS connections
>>> > envrionment depending on domain?
>>> You can overload ssl_ciphers. You can't overload ssl_protocols
>>> because OpenSSL works this way: it selects the protocol used
>>> before SNI callback (and this behaviour looks more or less natural
>>> beacause the existance of SNI depends on the protocol used, and,
>>> for example, you can't enable SSLv3 in a SNI-based virtual host).
>>> In general, whether or not some SSL feature can be tweaked for
>>> SNI-based virtual hosts depends on two factors:
>>> - if it's at all possible;
>>> - how OpenSSL handles it.
>>> In some cases nginx also tries to provide per-virtualhost support
>>> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
>>> ssl_verify_depth, ssl_prefer_server_ciphers.
>>> Maxim Dounin
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx