ssl_reject_handshake breaks other server blocks

Taco de Wolff tacodewolff at gmail.com
Sat Mar 2 22:55:44 UTC 2024 

Hi Jordan,

You are right, very sorry for the noise. Must have confounded the error
with the many changes I made at the same time. Thanks for your time!

Kind regards,
Taco de Wolff


Op za 2 mrt 2024 om 15:52 schreef J Carter <jordanc.carter at outlook.com>:

> Hello Taco,
>
> On Sat, 2 Mar 2024 09:54:46 -0300
> Taco de Wolff <tacodewolff at gmail.com> wrote:
>
> > Thank you Jordan for the response.
> >
>
> No problem.
>
> > Including the SNI information in cURL works, thank you. I wasn't aware
> this
> > was so very different from TCP/HTTP2.
> >
> > The point I was trying to make about the ssl_certificate options to be
> > mandatory, is that HTTP/2 also requires SSL
>
> HTTP2 can be used without TLS by the way (called h2c), and this is also
> implemented in nginx. With curl you can test it easily with
> --http2-prior-knowledge flag against plain-text port.
>
> The $http2 variable [1] can also be easily used to distinguish h2c vs
> h2(with tls).
>
> Of course, I doubt there is a lot of real world usage of h2c. Still, it
> can
> be useful for testing :)
>
> [1] https://nginx.org/en/docs/http/ngx_http_v2_module.html#variables
>
> > but recognizes that when
> > ssl_reject_handshake=on it doesn't need the certificate. For HTTP/3 it
> > doesn't seem to recognize that it doesn't need the certificate since it
> > will reject handshakes anyways.
>
> I see, but when testing with exactly the configuration you posted, it
> does not appear to require them in the default server (on 1.25.4). If I
> remove ssl_certificate and ssl_certificate_key directives, it still
> works...
>
> 1) Are you using any out of band patches in your nginx build (if self
> built)?
>
> 2) Which TLS library are you using (openssl, boringssl, ect)?
>
> 3) Which OS?
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240302/22c37427/attachment-0001.htm>

More information about the nginx mailing list