Inheritance issues with ssl_protocols and ssl_ciphers...

Sat Nov 12 11:37:48 UTC 2022

Hello!

On Sat, Nov 12, 2022 at 05:24:36AM -0500, wordlesswind wrote:

> Hello guys,
> 
> I enabled ssl_reject_handshake in the first 443 server segment of nginx.conf
> to prevent someone from scanning the IP to detect the certificate.
> 
> ```
> server {
>         listen   443 ssl reuseport;
>         listen   [::]:443 ssl;
> 
>         ssl_session_cache    shared:SSL:10m;
>         ssl_session_timeout  1d;
> 
>         ssl_dhparam          /root/dhparam;
> 
>         ssl_protocols        TLSv1.2 TLSv1.3;
>         ssl_ciphers          TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;
> 
>         ssl_early_data       on;
> 
>         ssl_reject_handshake  on;
>     }
> ```
> 
> I then placed the real server configuration file under the conf.d folder.
> 
> ```
> server {
>     listen   443 ssl http2;
>     listen   [::]:443 ssl http2;
>     server_name  example.com;
>     root     /usr/share/nginx/html;
> 
>     ssl_certificate      /acme.sh/example.com_ecc/fullchain.cer;
>     ssl_certificate_key  /acme.sh/example.com_ecc/example.com.key;
> 
>     ssl_certificate      /acme.sh/example.com/fullchain.cer;
>     ssl_certificate_key  /acme.sh/example.com/example.com.key;
> 
>     ssl_stapling         on;
>     resolver             8.8.8.8 1.1.1.1 valid=300s;
>     ssl_stapling_verify  on;
> 
>     ssl_session_cache    shared:SSL:10m;
>     ssl_session_timeout  1d;
> 
>     ssl_dhparam          /root/dhparam;
> 
>     ssl_protocols        TLSv1.2 TLSv1.3;
>     ssl_ciphers          TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;
> 
>     ssl_early_data       on;

[...]

> }
> ```
> 
> Then I found a problem, if I turn off TLS 1.2 on the first 443 server
> segment and only use TLS 1.3, then the other servers are also TLS 1.3 only.
> 
> It seems that ssl_ciphers, ssl_dhparam, ssl_early_data, ssl_protocols,
> ssl_session_cache, and ssl_session_timeout all have inheritance.
> 
> Is this normal?

You are using name-based virtual servers, so nginx can only change 
settings when some name is known from the client request (or a 
connection).  In case of HTTPS, the first name which becomes known 
is the SNI server name.  It is, however, only known when OpenSSL 
already decides which protocol version to use (in particular, 
because the SNI TLS extension is not available in some older 
protocols, such as SSLv3).  As such, the ssl_protocol directive 
should be specified in the default server block when using 
name-based virtual servers.

Similarly, SSL session reuse happens at the default server context 
(since the SNI name might not be available at all during session 
reuse), so ssl_session_cache needs to be specified in the default 
server block as well.  The same applies to ssl_session_timeout and 
ssl_early_data, as both are set by OpenSSL based on the default 
server context where sessions are reused.  On the other hand, 
BoringSSL makes it possible to set ssl_early_data in name-based 
virtual servers.

Ciphers, however, are chosen after the SNI name is known (and 
appropriate server certificates are set), since it is not possible 
to select a cipher without the certificate being known.  As such, 
ssl_ciphers can be safely used in name-based virtual servers.  The 
same applies to ssl_dhparam.

Some basic tips about various aspects of name-based virtual server 
selection can be found in the documentation here:

http://nginx.org/en/docs/http/server_names.html#virtual_server_selection

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/