<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">I acknowledge how that works, although OpenSSL providing more flexibility over SNI for protocols supporting it would have been appreciated. Too bad.<br>Thanks Maxim for you always concise and straightforward discerning answers!<br></div><div class="gmail_extra"><div><div class="m_708247505134839564m_-1736571966511831130gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<span class="m_708247505134839564m_-1736571966511831130gmail-"><br>
On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:<br>
<br>
> Hello,<br>
><br>
> I tried to overload the value of my default ssl_protocols (http block<br>
> level) in a server block.<br>
> It did not seem to apply the other value in this virtuel server only.<br>
><br>
> Since I use SNI on my OpenSSL implementation, which perfectly works to<br>
> support multiple virtual servers, I wonder why this SNI capability isn't<br>
> leveraged to apply different TLS environment depending on the SNI value and<br>
> the TLS directives configured for the virtual server of the asked domain.<br>
> Can SNI be used for other TLS configuration directives other than<br>
> certificates?<br>
><br>
> More generally, is it normal you cannot overload directives such as<br>
> ssl_protocols or ssl_ciphers in a specific virtual server, using the same<br>
> socket as others?<br>
> If positive, would it be possible to use SNI to tweak TLS connections<br>
> envrionment depending on domain?<br>
<br>
</span>You can overload ssl_ciphers. You can't overload ssl_protocols<br>
because OpenSSL works this way: it selects the protocol used<br>
before SNI callback (and this behaviour looks more or less natural<br>
beacause the existance of SNI depends on the protocol used, and,<br>
for example, you can't enable SSLv3 in a SNI-based virtual host).<br>
<br>
In general, whether or not some SSL feature can be tweaked for<br>
SNI-based virtual hosts depends on two factors:<br>
<br>
- if it's at all possible;<br>
- how OpenSSL handles it.<br>
<br>
In some cases nginx also tries to provide per-virtualhost support<br>
even for things OpenSSL doesn't handle natively, e.g., ssl_verify,<br>
ssl_verify_depth, ssl_prefer_server_ciphers.<br>
<span class="m_708247505134839564m_-1736571966511831130gmail-HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
</font></span></blockquote></div><br></div></div>