Welcome! Log In Create A New Profile

Advanced

SNI requires TLSv1 protocol, why?

Posted by spuniun 
SNI requires TLSv1 protocol, why?
April 30, 2013 05:20PM
After migrating our multi-tenant application to an nginx reverse proxy which has SNI requirements, I encountered an interesting issue while doing some security clean up after a routine PCI scan.

As I understand it, SNI is part of the TLSv1.1 protocol, however we discovered that nginx SNI does not work without the TLSv1 protocol being enabled.

Steps to reproduce:

1. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
2. SNI works as expected
3. PCI scans complain of "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability" CVE-2011-3389
4. ssl_protocols TLSv1.1 TLSv1.2;
5. verify that SNI is now broken

Although not documented, i have found others stating that TLSv1 is required by nginx to support SNI although TLSv1.1 is the earliest implementation of SNI and Apache does not exhibit a similar limitation.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 120
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready