ssl_protocols per server?
miguelmclara at gmail.com
Thu Oct 16 14:30:02 UTC 2014
On Thu, Oct 16, 2014 at 2:58 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote:
> > Hum... makes sense when sni is involved yes, but I get the same issue if
> > using the same certificate (wildcard) for 2 subdomains our my dev
> > environment.
> > say "blog.domain.com" and "forums.domain.com" and I tested with
> > cert/key_path define in the server's blocks and in conf.d/ssl.conf (which
> > is read before site-enabled/*) both give the same result
> > This are curl result with any ssl path/cipher striped form server blocks,
> > and in one ssl_protocol as sslv3 (forums) the other does not
> > NOTE: the blog config is read first... if I rename the forums config to
> > 00-forums.conf SSLv3 works, but works for both and it should not work for
> > blog... so It seems that its not only about sni?
> Again: as long as SSLv3 is not enabled in the default server
> block, SSLv3 will not work. If it's enabled, it will work for all
> virtual servers using the listen socket in question. By chaning
> names you effectively change default server for the listen socket in
> question (but that's bad and not guaranteed to work, use
> "listen ... default_server" instead). That's expected behaviour.
> Quoting my previous response here, you may want to re-read it to
> make sure you've understood it correctly:
Duh, yes I get it now, its not possible to do this with sslv3 enable by
default (also I do have default_server on ssl.conf)
listen 443 default_server ssl spdy;
This just makes it use the cert for all and uses this as default (which as
you say is preferred to just setting it on the server block and expect
nginx uses the first as default.
I was using ssl_protocols TLSv1 TLSv1.1 TLSv1.2; or ssl_protocols SSLv3
TLSv1 TLSv1.1 TLSv1.2; in the servers only and the moved it to ssl.conf.
And what you say is that *the expect behaviour" is that if SSLv3 is on then
its on for all, and if not its off for all, it will use the default config
(or first it grabs although its not the recommend case).
So as I said somewhere before this is indeed on for all or for none, but
its not a bug, its how it works, there is no way around it except using a
different socket (IP) for each server!
I was wrongly expecting it would work different with a wildcard cert.
Thanks for the clarification
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx