ssl_protocols per server?

Maxim Dounin mdounin at
Thu Oct 16 13:58:10 UTC 2014


On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote:

> Hum... makes sense when sni is involved yes, but I get the same issue if
> using the same certificate (wildcard) for 2 subdomains our my dev
> environment.
> say "" and "" and I tested with
> cert/key_path define in the server's blocks and in conf.d/ssl.conf (which
> is read before site-enabled/*) both give the same result
> This are curl result with any ssl path/cipher striped form server blocks,
> and in one ssl_protocol as sslv3 (forums) the other does not


> NOTE: the blog config is read first... if I rename the forums config to
> 00-forums.conf SSLv3 works, but works for both and it should not work for
> blog... so It seems that its not only about sni?

Again: as long as SSLv3 is not enabled in the default server 
block, SSLv3 will not work.  If it's enabled, it will work for all 
virtual servers using the listen socket in question.  By chaning 
names you effectively change default server for the listen socket in 
question (but that's bad and not guaranteed to work, use 
"listen ... default_server" instead).  That's expected behaviour.

Quoting my previous response here, you may want to re-read it to 
make sure you've understood it correctly:

> > When using SSLv3 to connect, settings of the default server{}
> > block will be used.  This is because there is no SNI in SSLv3, and
> > hence SSL connection is established in the context of the default
> > server{} block.  The appropriate server{} block is then selected
> > based on Host header in an http request, much like it used to work
> > with non-SNI virtual hosting and normal HTTP.
> >
> > That is, by using the "ssl_protocols" directive you can only limit
> > use of SSLv3 for all servers on a particular listen socket, as due
> > to lack of SNI it doesn't make sense in non-default server{}
> > blocks.
> >
> > If you want to limit use of SSLv3 for a particular server only,
> > you have two basic options:
> >
> > - use a separate listen socket for this server (that is, use a
> >   separate IP address);
> >
> > - test $ssl_protocol variable during a http request processing and
> >   return an error; something like
> >
> >     if ($ssl_protocol = "SSLv3") {
> >         return 403;
> >     }
> >
> >   will do the trick.

Addditionally, here are link to article about request processing 
in nginx, it explains things about "default_server" and so on:

Hope this helps.

Maxim Dounin

More information about the nginx mailing list