ssl_protocols per server?

Miguel Clara miguelmclara at gmail.com
Thu Oct 16 13:41:33 UTC 2014 

Hum... makes sense when sni is involved yes, but I get the same issue if
using the same certificate (wildcard) for 2 subdomains our my dev
environment.

say "blog.domain.com" and "forums.domain.com" and I tested with
cert/key_path define in the server's blocks and in conf.d/ssl.conf (which
is read before site-enabled/*) both give the same result

This are curl result with any ssl path/cipher striped form server blocks,
and in one ssl_protocol as sslv3 (forums) the other does not

~% curl -sslv3 -I -uuser:pass https://blog.domain.com

* Rebuilt URL to: https://blog.domain.com/
* Hostname was NOT found in DNS cache
*   Trying 1.2.3.4...
* Connected to blogdev.domain.com (1.2.3.4) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection 0
~% curl -sslv3 -I -uuser:pass https://orums.domain.com
* Rebuilt URL to: https://forums.domain.com/
* Hostname was NOT found in DNS cache
*   Trying 1.2.3.4...
* Connected to testforums.domain.com (1.2.3.4) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection 0

NOTE: the blog config is read first... if I rename the forums config to
00-forums.conf SSLv3 works, but works for both and it should not work for
blog... so It seems that its not only about sni?


Melhores Cumprimentos // Best Regards
-----------------------------------------------
*Miguel Clara*
*IT - Sys Admin & Developer*
*E-mail:    *miguelmclara at gmail.com
         www.linkedin.com/in/miguelmclara/

On Thu, Oct 16, 2014 at 2:01 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote:
>
> >         listen 443 ssl spdy;
> >
> > Actually but sni is working fine sslabs reports the correct certs... just
> > tells me SSLv3 is on in all when its only set for one of the domains...
> > At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level
> > and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the
> > servers/domain I removed that for http block and now have the different
> > "ssl_protocols" directive in the corresponding configs and sslabs reports
> > the one defined in the first.
> >
> >
> > If I change the order (sslv3 first) sslabs reports all servers/domains
> have
> > sslv3 on but curl fails with "-sslv3" and the error is related to the
> cert
> > name ...  but I'm assuming that's just because sni is a TLS extension not
> > SSL.. so it actually proves sslv3 is on when it shouldn't be!
>
> When using SSLv3 to connect, settings of the default server{}
> block will be used.  This is because there is no SNI in SSLv3, and
> hence SSL connection is established in the context of the default
> server{} block.  The appropriate server{} block is then selected
> based on Host header in an http request, much like it used to work
> with non-SNI virtual hosting and normal HTTP.
>
> That is, by using the "ssl_protocols" directive you can only limit
> use of SSLv3 for all servers on a particular listen socket, as due
> to lack of SNI it doesn't make sense in non-default server{}
> blocks.
>
> If you want to limit use of SSLv3 for a particular server only,
> you have two basic options:
>
> - use a separate listen socket for this server (that is, use a
>   separate IP address);
>
> - test $ssl_protocol variable during a http request processing and
>   return an error; something like
>
>     if ($ssl_protocol = "SSLv3") {
>         return 403;
>     }
>
>   will do the trick.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141016/71d86bd5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkedin.png
Type: image/png
Size: 655 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141016/71d86bd5/attachment.png>

More information about the nginx mailing list