<div dir="ltr">Hum... makes sense when sni is involved yes, but I get the same issue if using the same certificate (wildcard) for 2 subdomains our my dev environment.<br><br>say "<a href="http://blog.domain.com">blog.domain.com</a>" and "<a href="http://forums.domain.com">forums.domain.com</a>" and I tested with cert/key_path define in the server's blocks and in conf.d/ssl.conf (which is read before site-enabled/*) both give the same result<br><br>This are curl result with any ssl path/cipher striped form server blocks, and in one ssl_protocol as sslv3 (forums) the other does not<br><br><div><div>~% curl -sslv3 -I -uuser:pass <a href="https://blog.domain.com">https://blog.domain.com</a> </div><div>* Rebuilt URL to: <a href="https://blog.domain.com/">https://blog.domain.com/</a></div><div>* Hostname was NOT found in DNS cache</div><div>* Trying 1.2.3.4...</div><div>* Connected to <a href="http://blogdev.domain.com">blogdev.domain.com</a> (1.2.3.4) port 443 (#0)</div><div>* successfully set certificate verify locations:</div><div>* CAfile: /usr/local/share/certs/ca-root-nss.crt</div><div> CApath: none</div><div>* SSLv3, TLS handshake, Client hello (1):</div><div>* SSLv3, TLS alert, Server hello (2):</div><div>* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure</div><div>* Closing connection 0</div><div>~% curl -sslv3 -I -uuser:pass <a href="https://orums.domain.com">https://orums.domain.com</a></div><div>* Rebuilt URL to: <a href="https://forums.domain.com/">https://forums.domain.com/</a></div><div>* Hostname was NOT found in DNS cache</div><div>* Trying 1.2.3.4...</div><div>* Connected to <a href="http://testforums.domain.com">testforums.domain.com</a> (1.2.3.4) port 443 (#0)</div><div>* successfully set certificate verify locations:</div><div>* CAfile: /usr/local/share/certs/ca-root-nss.crt</div><div> CApath: none</div><div>* SSLv3, TLS handshake, Client hello (1):</div><div>* SSLv3, TLS alert, Server hello (2):</div><div>* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure</div><div>* Closing connection 0</div></div><div><br></div><div>NOTE: the blog config is read first... if I rename the forums config to 00-forums.conf SSLv3 works, but works for both and it should not work for blog... so It seems that its not only about sni? </div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><span><font color="#888888">
<font size="1"><br>
<font face="Calibri Light">Melhores Cumprimentos // Best
Regards<br>
</font><font face="Calibri Light">-----------------------------------------------<br>
<b><font color="#000066">Miguel Clara</font></b><br>
</font><b><font color="#ff6600" face="Calibri Light">IT
- Sys Admin & Developer</font></b><font face="Calibri
Light"><br>
</font><b><font face="Calibri Light">E-mail: </font></b><font face="Calibri Light"><a href="mailto:miguelmclara@gmail.com" target="_blank">miguelmclara@gmail.com</a><br>
</font><font face="Calibri Light"><img src="cid:part2.08010009.06070405@gmail.com"> <a href="http://www.linkedin.com/in/miguelmclara/" target="_blank">www.linkedin.com/in/miguelmclara/</a></font></font></font></span></div></div>
<br><div class="gmail_quote">On Thu, Oct 16, 2014 at 2:01 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<div><div class="h5"><br>
On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote:<br>
<br>
> listen 443 ssl spdy;<br>
><br>
> Actually but sni is working fine sslabs reports the correct certs... just<br>
> tells me SSLv3 is on in all when its only set for one of the domains...<br>
> At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level<br>
> and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the<br>
> servers/domain I removed that for http block and now have the different<br>
> "ssl_protocols" directive in the corresponding configs and sslabs reports<br>
> the one defined in the first.<br>
><br>
><br>
> If I change the order (sslv3 first) sslabs reports all servers/domains have<br>
> sslv3 on but curl fails with "-sslv3" and the error is related to the cert<br>
> name ... but I'm assuming that's just because sni is a TLS extension not<br>
> SSL.. so it actually proves sslv3 is on when it shouldn't be!<br>
<br>
</div></div>When using SSLv3 to connect, settings of the default server{}<br>
block will be used. This is because there is no SNI in SSLv3, and<br>
hence SSL connection is established in the context of the default<br>
server{} block. The appropriate server{} block is then selected<br>
based on Host header in an http request, much like it used to work<br>
with non-SNI virtual hosting and normal HTTP.<br>
<br>
That is, by using the "ssl_protocols" directive you can only limit<br>
use of SSLv3 for all servers on a particular listen socket, as due<br>
to lack of SNI it doesn't make sense in non-default server{}<br>
blocks.<br>
<br>
If you want to limit use of SSLv3 for a particular server only,<br>
you have two basic options:<br>
<br>
- use a separate listen socket for this server (that is, use a<br>
separate IP address);<br>
<br>
- test $ssl_protocol variable during a http request processing and<br>
return an error; something like<br>
<br>
if ($ssl_protocol = "SSLv3") {<br>
return 403;<br>
}<br>
<br>
will do the trick.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div>