Make ssl_certificate optional?
Julian Blake Kongslie
jblake at omgwallhack.org
Wed Jan 5 09:43:28 MSK 2011
Is there any possibility of allowing the use of SSL without the
ssl_certificate option in nginx?
Before you say I'm crazy, hear me out. I want to operate servers where
security is not required (the same content is served over HTTP) but it
would be nice to offer some encryption for people who desire it. I also
very strongly do not want to bother with certificates, especially as
those certificates would be self-signed and consequently offer *zero*
extra security assurance over anonymous DH mode.
The nginx config I *want* looks something like this:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
}
}
I would happily settle for:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
ssl_without_certificate_because_im_crazy on;
}
}
Right now, I have to use:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
ssl_certificate /some/x509/cert/which/will/never/be/used.pem;
ssl_certificate_key /some/x509/cert/which/will/never/be/used.pem;
}
}
I can't even use /dev/null because nginx croaks on an invalid
certificate.
It's a minor grief, certainly, but there really are perfectly valid SSL
modes that don't involve a certificate on the server side and I'm hoping
to avoid having to create snakeoil certs for all of my servers.
--
-Julian Blake Kongslie <jblake at omgwallhack.org>
If this is a mailing list, please CC me on replies.
vim: set ft=text :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://nginx.org/pipermail/nginx/attachments/20110104/4553828d/attachment.pgp>
More information about the nginx
mailing list