ssl_protocols & SNI

B.R. reallfqq-nginx at yahoo.fr
Thu Jan 19 18:07:02 UTC 2017


There is something strange, though.

I configured cipher suites with ssl_ciphers with suites from TLSv1.0 &
TLSv1.2 (TLSv1.1 having no specific cipher suites but merely relying on
thos from TLSv1.0).
Those 3 protocols can be tested successfully when ssl_protocols is at its
default value (TLSv1 TLSv1.1 TLSv1.2 since nginx v1.9.1).
However, trying to remove TLSv1 (thus using TLSv1.1 TLSv1.2 for those who
are following ^^), I cannot connect using neither TLSv1.0 nor TLSv1.1, only
with TLSv1.2 a connection can be established.

I am probably overlooking something... What is it?
---
*B. R.*

On Thu, Jan 19, 2017 at 3:28 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:

> I acknowledge how that works, although OpenSSL providing more flexibility
> over SNI for protocols supporting it would have been appreciated. Too bad.
> Thanks Maxim for you always concise and straightforward discerning answers!
> ---
> *B. R.*
>
> On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
>> Hello!
>>
>> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>>
>> > Hello,
>> >
>> > I tried to overload the value of my default ssl_protocols (http block
>> > level) in a server block.
>> > It did not seem to apply the other value in this virtuel server only.
>> >
>> > Since I use SNI on my OpenSSL implementation, which perfectly works to
>> > support multiple virtual servers, I wonder why this SNI capability isn't
>> > leveraged to apply different TLS environment depending on the SNI value
>> and
>> > the TLS directives configured for the virtual server of the asked
>> domain.
>> > Can SNI be used for other TLS configuration directives other than
>> > certificates?
>> >
>> > More generally, is it normal you cannot overload directives such as
>> > ssl_protocols or ssl_ciphers in a specific virtual server, using the
>> same
>> > socket as others?
>> > If positive, would it be possible to use SNI to tweak TLS connections
>> > envrionment depending on domain?
>>
>> You can overload ssl_ciphers.  You can't overload ssl_protocols
>> because OpenSSL works this way: it selects the protocol used
>> before SNI callback (and this behaviour looks more or less natural
>> beacause the existance of SNI depends on the protocol used, and,
>> for example, you can't enable SSLv3 in a SNI-based virtual host).
>>
>> In general, whether or not some SSL feature can be tweaked for
>> SNI-based virtual hosts depends on two factors:
>>
>> - if it's at all possible;
>> - how OpenSSL handles it.
>>
>> In some cases nginx also tries to provide per-virtualhost support
>> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
>> ssl_verify_depth, ssl_prefer_server_ciphers.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170119/239c6a90/attachment-0001.html>


More information about the nginx mailing list