ssl_reject_handshake breaks other server blocks

J Carter jordanc.carter at outlook.com
Sat Mar 2 18:51:36 UTC 2024


Hello Taco,

On Sat, 2 Mar 2024 09:54:46 -0300
Taco de Wolff <tacodewolff at gmail.com> wrote:

> Thank you Jordan for the response.
> 

No problem. 

> Including the SNI information in cURL works, thank you. I wasn't aware this
> was so very different from TCP/HTTP2.
> 
> The point I was trying to make about the ssl_certificate options to be
> mandatory, is that HTTP/2 also requires SSL 

HTTP2 can be used without TLS by the way (called h2c), and this is also 
implemented in nginx. With curl you can test it easily with 
--http2-prior-knowledge flag against plain-text port.

The $http2 variable [1] can also be easily used to distinguish h2c vs
h2(with tls).

Of course, I doubt there is a lot of real world usage of h2c. Still, it can 
be useful for testing :)

[1] https://nginx.org/en/docs/http/ngx_http_v2_module.html#variables

> but recognizes that when
> ssl_reject_handshake=on it doesn't need the certificate. For HTTP/3 it
> doesn't seem to recognize that it doesn't need the certificate since it
> will reject handshakes anyways.

I see, but when testing with exactly the configuration you posted, it
does not appear to require them in the default server (on 1.25.4). If I
remove ssl_certificate and ssl_certificate_key directives, it still
works...

1) Are you using any out of band patches in your nginx build (if self
built)?

2) Which TLS library are you using (openssl, boringssl, ect)?

3) Which OS?


More information about the nginx mailing list