ssl_protocols per server and SNI

Maxim Dounin mdounin at mdounin.ru
Tue Apr 17 13:02:15 UTC 2018


Hello!

On Mon, Apr 16, 2018 at 05:07:48PM -0700, Frank Liu wrote:

> Looks like OpenSSL 1.1.1 finally fixed this  (
> https://github.com/openssl/openssl/issues/4301) and added early callback
> (new in OpenSSL 1.1.1), which allows the application to switch SSL_CTXes
> *before* TLS version negotiation.
> Hopefully nginx 1.15 milestone will be able to take advantage of this.

As per the issue referenced, OpenSSL folks simply closed the 
issue without even trying to understand the problem.

Another issue linked there 
(https://github.com/openssl/openssl/issues/4302) seems to suggest 
that it should be possible to use the clienthello callback as 
available in 1.1.1 to switch protocols supported.  This might work 
(not tested), though certainly will require much more work than 
using the servername callback as we do now.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list