ssl_protocols & SNI

B.R. reallfqq-nginx at yahoo.fr
Mon Jan 23 19:50:35 UTC 2017


Any help?
---
*B. R.*

On Thu, Jan 19, 2017 at 7:07 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:

> There is something strange, though.
>
> I configured cipher suites with ssl_ciphers with suites from TLSv1.0 &
> TLSv1.2 (TLSv1.1 having no specific cipher suites but merely relying on
> thos from TLSv1.0).
> Those 3 protocols can be tested successfully when ssl_protocols is at its
> default value (TLSv1 TLSv1.1 TLSv1.2 since nginx v1.9.1).
> However, trying to remove TLSv1 (thus using TLSv1.1 TLSv1.2 for those who
> are following ^^), I cannot connect using neither TLSv1.0 nor TLSv1.1, only
> with TLSv1.2 a connection can be established.
>
> I am probably overlooking something... What is it?
> ---
> *B. R.*
>
> On Thu, Jan 19, 2017 at 3:28 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:
>
>> I acknowledge how that works, although OpenSSL providing more flexibility
>> over SNI for protocols supporting it would have been appreciated. Too bad.
>> Thanks Maxim for you always concise and straightforward discerning
>> answers!
>> ---
>> *B. R.*
>>
>> On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>
>>> Hello!
>>>
>>> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>>>
>>> > Hello,
>>> >
>>> > I tried to overload the value of my default ssl_protocols (http block
>>> > level) in a server block.
>>> > It did not seem to apply the other value in this virtuel server only.
>>> >
>>> > Since I use SNI on my OpenSSL implementation, which perfectly works to
>>> > support multiple virtual servers, I wonder why this SNI capability
>>> isn't
>>> > leveraged to apply different TLS environment depending on the SNI
>>> value and
>>> > the TLS directives configured for the virtual server of the asked
>>> domain.
>>> > Can SNI be used for other TLS configuration directives other than
>>> > certificates?
>>> >
>>> > More generally, is it normal you cannot overload directives such as
>>> > ssl_protocols or ssl_ciphers in a specific virtual server, using the
>>> same
>>> > socket as others?
>>> > If positive, would it be possible to use SNI to tweak TLS connections
>>> > envrionment depending on domain?
>>>
>>> You can overload ssl_ciphers.  You can't overload ssl_protocols
>>> because OpenSSL works this way: it selects the protocol used
>>> before SNI callback (and this behaviour looks more or less natural
>>> beacause the existance of SNI depends on the protocol used, and,
>>> for example, you can't enable SSLv3 in a SNI-based virtual host).
>>>
>>> In general, whether or not some SSL feature can be tweaked for
>>> SNI-based virtual hosts depends on two factors:
>>>
>>> - if it's at all possible;
>>> - how OpenSSL handles it.
>>>
>>> In some cases nginx also tries to provide per-virtualhost support
>>> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
>>> ssl_verify_depth, ssl_prefer_server_ciphers.
>>>
>>> --
>>> Maxim Dounin
>>> http://nginx.org/
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170123/f8546a52/attachment.html>


More information about the nginx mailing list