ssl_protocols & SNI

B.R. reallfqq-nginx at yahoo.fr
Thu Jan 19 14:28:11 UTC 2017 

I acknowledge how that works, although OpenSSL providing more flexibility
over SNI for protocols supporting it would have been appreciated. Too bad.
Thanks Maxim for you always concise and straightforward discerning answers!
---
*B. R.*

On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>
> > Hello,
> >
> > I tried to overload the value of my default ssl_protocols (http block
> > level) in a server block.
> > It did not seem to apply the other value in this virtuel server only.
> >
> > Since I use SNI on my OpenSSL implementation, which perfectly works to
> > support multiple virtual servers, I wonder why this SNI capability isn't
> > leveraged to apply different TLS environment depending on the SNI value
> and
> > the TLS directives configured for the virtual server of the asked domain.
> > Can SNI be used for other TLS configuration directives other than
> > certificates?
> >
> > More generally, is it normal you cannot overload directives such as
> > ssl_protocols or ssl_ciphers in a specific virtual server, using the same
> > socket as others?
> > If positive, would it be possible to use SNI to tweak TLS connections
> > envrionment depending on domain?
>
> You can overload ssl_ciphers.  You can't overload ssl_protocols
> because OpenSSL works this way: it selects the protocol used
> before SNI callback (and this behaviour looks more or less natural
> beacause the existance of SNI depends on the protocol used, and,
> for example, you can't enable SSLv3 in a SNI-based virtual host).
>
> In general, whether or not some SSL feature can be tweaked for
> SNI-based virtual hosts depends on two factors:
>
> - if it's at all possible;
> - how OpenSSL handles it.
>
> In some cases nginx also tries to provide per-virtualhost support
> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
> ssl_verify_depth, ssl_prefer_server_ciphers.
>
> --
> Maxim Dounin
> http://nginx.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170119/d6557cff/attachment.html>

More information about the nginx mailing list