Issue with VirtualHost definition order and SNI SSL

Igor Sysoev is at rambler-co.ru
Thu Oct 29 11:08:17 MSK 2009 

On Thu, Oct 29, 2009 at 09:35:54AM +0200, Iantcho Vassilev wrote:

> Thanks for the info.
> I checked the browser  TLS is enabled.
> Is there a special way to enable it on the server??

http://wiki.nginx.org/NginxHttpSslModule#ssl_protocols

> It is very strange for me because before Nginx i was using litespeed and
> there every SSL host was listening on 443 and everything worked..how do they
> do it i don`t know..??

I do not know whether litespeed supports SNI.
All these hosts are listen on single IP ?

> 2009/10/29 Igor Sysoev <is at rambler-co.ru>
> 
> > On Wed, Oct 28, 2009 at 11:59:44PM +0200, Iantcho Vassilev wrote:
> >
> > > Here is the debug on the host when only one site listens to 443
> > >
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 http check ssl handshake
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 https ssl handshake: 0x16
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: -1
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_get_error: 2
> >
> > SNI handshake looks like this:
> >
> > 2009/10/29 09:53:05 [debug] 73997#0: *1 http check ssl handshake
> > 2009/10/29 09:53:05 [debug] 73997#0: *1 https ssl handshake: 0x16
> > 2009/10/29 09:53:05 [debug] 73997#0: *1 SSL server name: "www.example.com"
> > 2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_do_handshake: -1
> > 2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_get_error: 2
> >
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 post event 0000000001DD95A0
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 delete posted event
> > > 0000000001DD95A0
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL handshake handler: 0
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: 1
> > > 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL: SSLv3, cipher:
> > > "DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
> >
> > For some reason only SSLv3 has been negotiated.
> > Either server has no enabled TLSv1 in ssl_protocols, or browser.


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list