Welcome! Log In Create A New Profile

Advanced

Re: How to force SNI only connections, or have a fallback non-SNI server?

Tiago Freire
July 14, 2010 02:52PM
EV is a requirement because upper management wants the 'green bar'.

It is my understanding that Apache has a configuration option to force
SNI-only SSL handshake, returning a (user-configurable I believe) error to
the non-SNI clients, therefore it must be possible to customize the action
taken about the presence (or absence) of the SNI header.

I am no expert of the bits and bytes, step-by-step of SSL, but from what I
have read while researching, the SNI specfication dictates that at the
beginning of the handshake to estabish the SSL connection the client would
send the URL to which it wants to connect, which is the main ingredient for
SNI to work. Lack of this would indicate a non-SNI connection handshake.

Apache can act on it, I thought nginx could be able to act on it too, that's
why I am asking. If nginx does not currently have this functionality, I see
value in implementing it, and that's what I would like to propose:

A way to detect and segregate SNI and non-SNI connections before the SSL
handshake finishes (this must be possible because it is the very way SNI
works), and give the nginx administrator configurable options to act upon
the different connections: give an error on non-SNI connections, or send
them to a different server, or just accept them in the first ssl server.

On Wed, Jul 14, 2010 at 2:01 PM, Alex Sergeyev <asergeyev@dyn.com> wrote:

> Tiago if (by any chance) your site names are in same domain - you may
> consider non-EV but WILDCARD certificate for *.domain.tld
>
> Alex.
>
>
> On Wed, 2010-07-14 at 13:17 -0300, Tiago Freire wrote:
> > I was hoping that there would be a configuration option on nginx to
> > either:
> > 1) give a 403 error - or whatever error is best fit - when it detects
> > non-SNI SSL handshake; or
> > 2) redirect non-SNI SSL handshake traffic to a different virtual
> > server.
> >
>
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>



--
-----
Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

How to force SNI only connections, or have a fallback non-SNI server?

Tiago Freire July 13, 2010 04:04PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev July 14, 2010 03:36AM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Tiago Freire July 14, 2010 12:24PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev July 14, 2010 12:52PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Alex Sergeyev July 14, 2010 01:08PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Tiago Freire July 14, 2010 02:52PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

Igor Sysoev July 14, 2010 04:12PM

Re: How to force SNI only connections, or have a fallback non-SNI server?

kriswpl January 06, 2012 03:36PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 166
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready