How to force SNI only connections, or have a fallback non-SNI server?

Tiago Freire tiago.freire at gmail.com
Wed Jul 14 22:47:29 MSD 2010


EV is a requirement because upper management wants the 'green bar'.

It is my understanding that Apache has a configuration option to force
SNI-only SSL handshake, returning a (user-configurable I believe) error to
the non-SNI clients, therefore it must be possible to customize the action
taken about the presence (or absence) of the SNI header.

I am no expert of the bits and bytes, step-by-step of SSL, but from what I
have read while researching, the SNI specfication dictates that at the
beginning of the handshake to estabish the SSL connection the client would
send the URL to which it wants to connect, which is the main ingredient for
SNI to work. Lack of this would indicate a non-SNI connection handshake.

Apache can act on it, I thought nginx could be able to act on it too, that's
why I am asking. If nginx does not currently have this functionality, I see
value in implementing it, and that's what I would like to propose:

A way to detect and segregate SNI and non-SNI connections before the SSL
handshake finishes (this must be possible because it is the very way SNI
works), and give the nginx administrator configurable options to act upon
the different connections: give an error on non-SNI connections, or send
them to a different server, or just accept them in the first ssl server.

On Wed, Jul 14, 2010 at 2:01 PM, Alex Sergeyev <asergeyev at dyn.com> wrote:

> Tiago if (by any chance) your site names are in same domain - you may
> consider non-EV but WILDCARD certificate for *.domain.tld
>
> Alex.
>
>
> On Wed, 2010-07-14 at 13:17 -0300, Tiago Freire wrote:
> > I was hoping that there would be a configuration option on nginx to
> > either:
> > 1) give a 403 error - or whatever error is best fit - when it detects
> > non-SNI SSL handshake; or
> > 2) redirect non-SNI SSL handshake traffic to a different virtual
> > server.
> >
>
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>



-- 
-----
Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20100714/95a39fb5/attachment.html>


More information about the nginx mailing list