ssl_protocols per server?

Maxim Dounin mdounin at
Thu Oct 16 13:01:08 UTC 2014


On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote:

>         listen 443 ssl spdy;
> Actually but sni is working fine sslabs reports the correct certs... just
> tells me SSLv3 is on in all when its only set for one of the domains...
> At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level
> and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the
> servers/domain I removed that for http block and now have the different
> "ssl_protocols" directive in the corresponding configs and sslabs reports
> the one defined in the first.
> If I change the order (sslv3 first) sslabs reports all servers/domains have
> sslv3 on but curl fails with "-sslv3" and the error is related to the cert
> name ...  but I'm assuming that's just because sni is a TLS extension not
> SSL.. so it actually proves sslv3 is on when it shouldn't be!

When using SSLv3 to connect, settings of the default server{} 
block will be used.  This is because there is no SNI in SSLv3, and 
hence SSL connection is established in the context of the default 
server{} block.  The appropriate server{} block is then selected 
based on Host header in an http request, much like it used to work 
with non-SNI virtual hosting and normal HTTP.

That is, by using the "ssl_protocols" directive you can only limit 
use of SSLv3 for all servers on a particular listen socket, as due 
to lack of SNI it doesn't make sense in non-default server{} 

If you want to limit use of SSLv3 for a particular server only, 
you have two basic options:

- use a separate listen socket for this server (that is, use a 
  separate IP address);

- test $ssl_protocol variable during a http request processing and 
  return an error; something like

    if ($ssl_protocol = "SSLv3") {
        return 403;

  will do the trick.

Maxim Dounin

More information about the nginx mailing list