ssl_protocols & SNI

Thu Jan 19 13:36:55 UTC 2017

Hello!

On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:

> Hello,
> 
> I tried to overload the value of my default ssl_protocols (http block
> level) in a server block.
> It did not seem to apply the other value in this virtuel server only.
> 
> Since I use SNI on my OpenSSL implementation, which perfectly works to
> support multiple virtual servers, I wonder why this SNI capability isn't
> leveraged to apply different TLS environment depending on the SNI value and
> the TLS directives configured for the virtual server of the asked domain.
> Can SNI be used for other TLS configuration directives other than
> certificates?
> 
> More generally, is it normal you cannot overload directives such as
> ssl_protocols or ssl_ciphers in a specific virtual server, using the same
> socket as others?
> If positive, would it be possible to use SNI to tweak TLS connections
> envrionment depending on domain?

You can overload ssl_ciphers.  You can't overload ssl_protocols 
because OpenSSL works this way: it selects the protocol used 
before SNI callback (and this behaviour looks more or less natural 
beacause the existance of SNI depends on the protocol used, and, 
for example, you can't enable SSLv3 in a SNI-based virtual host).

In general, whether or not some SSL feature can be tweaked for 
SNI-based virtual hosts depends on two factors:

- if it's at all possible;
- how OpenSSL handles it.

In some cases nginx also tries to provide per-virtualhost support 
even for things OpenSSL doesn't handle natively, e.g., ssl_verify, 
ssl_verify_depth, ssl_prefer_server_ciphers.

-- 
Maxim Dounin
http://nginx.org/