Make ssl_certificate optional?

Julian Blake Kongslie jblake at omgwallhack.org
Wed Jan 5 17:50:07 MSK 2011


On Wed, Jan 05, 2011 at 10:48:33AM +0100, rainer at ultra-secure.de wrote:
> The question you should ask: is any client other than openssl actually
> capable of connecting successfully to such a server?
> 
> IIRC, Firefox disabled all the "insecure" SSL-ciphers some time ago anyway...

Firefox gives an error on connection, but some other browsers connect
just fine; the nginx configuration with a useless certificate works just
fine in practice for my purposes, it's just not as easy to setup and
deploy. For what it's worth, the most common clients for these sites by
volume are all libcurl, which works just fine as long as you set the
don't-verify-peer bits.

We have some patches queued up to send to a few more mainstream
browsers that enable ADH and NULL ciphers such that the lock icons are
not displayed and the URL bar is not colored, leaving the user
experience exactly the same as if no SSL was involved at all, which
seems like a politically acceptable compromise for getting ADH support
back into Firefox et al.

Unfortunately, browsers are complicated and testing all the pathways
involved in treating a SSL connection as an insecure connection is not
trivial, so I'm tilting at your windmill first and will be fighting
those other battles another day.

> Rainer

Thanks,

-- 
-Julian Blake Kongslie <jblake at omgwallhack.org>
If this is a mailing list, please CC me on replies.

vim: set ft=text :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://nginx.org/pipermail/nginx/attachments/20110105/9e0b64cf/attachment.pgp>


More information about the nginx mailing list