Make ssl_certificate optional?

Julian Blake Kongslie jblake at omgwallhack.org
Wed Jan 5 09:43:28 MSK 2011


Is there any possibility of allowing the use of SSL without the
ssl_certificate option in nginx?

Before you say I'm crazy, hear me out. I want to operate servers where
security is not required (the same content is served over HTTP) but it
would be nice to offer some encryption for people who desire it. I also
very strongly do not want to bother with certificates, especially as
those certificates would be self-signed and consequently offer *zero*
extra security assurance over anonymous DH mode.

The nginx config I *want* looks something like this:

http {
  server {
    listen 443;
    ssl on;
    ssl_ciphers ADH:aNULL:eNULL;
  }
}

I would happily settle for:

http {
  server {
    listen 443;
    ssl on;
    ssl_ciphers ADH:aNULL:eNULL;
    ssl_without_certificate_because_im_crazy on;
  }
}

Right now, I have to use:

http {
  server {
    listen 443;
    ssl on;
    ssl_ciphers ADH:aNULL:eNULL;
    ssl_certificate /some/x509/cert/which/will/never/be/used.pem;
    ssl_certificate_key /some/x509/cert/which/will/never/be/used.pem;
  }
}

I can't even use /dev/null because nginx croaks on an invalid
certificate.

It's a minor grief, certainly, but there really are perfectly valid SSL
modes that don't involve a certificate on the server side and I'm hoping
to avoid having to create snakeoil certs for all of my servers.

-- 
-Julian Blake Kongslie <jblake at omgwallhack.org>
If this is a mailing list, please CC me on replies.

vim: set ft=text :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://nginx.org/pipermail/nginx/attachments/20110104/4553828d/attachment.pgp>


More information about the nginx mailing list