On Wed, Jul 14, 2010 at 03:47:29PM -0300, Tiago Freire wrote:
> EV is a requirement because upper management wants the 'green bar'.
>
> It is my understanding that Apache has a configuration option to force
> SNI-only SSL handshake, returning a (user-configurable I believe) error to
> the non-SNI clients, therefore it must be possible to customize the action
> taken about the presence (or absence) of the SNI header.
>
> I am no expert of the bits and bytes, step-by-step of SSL, but from what I
> have read while researching, the SNI specfication dictates that at the
> beginning of the handshake to estabish the SSL connection the client would
> send the URL to which it wants to connect, which is the main ingredient for
> SNI to work. Lack of this would indicate a non-SNI connection handshake.
>
> Apache can act on it, I thought nginx could be able to act on it too, that's
> why I am asking. If nginx does not currently have this functionality, I see
> value in implementing it, and that's what I would like to propose:
>
> A way to detect and segregate SNI and non-SNI connections before the SSL
> handshake finishes (this must be possible because it is the very way SNI
> works), and give the nginx administrator configurable options to act upon
> the different connections: give an error on non-SNI connections, or send
> them to a different server, or just accept them in the first ssl server.
There is no way to say a browser something like 403 error or redirect before
SSL handshake finishes. If you mean Apache's "SSLStrictSNIVHostCheck on",
then it starts to work only after a browser has shown a message about
inappropriate certificate name, if you have several sites on single IP.
If you have the only server and want to enable SNI-only access, then
you can use:
server {
listen 443 default;
server_name _;
ssl on;
ssl_certificate one.site.cert;
return 403;
}
server {
listen 443;
server_name www.one.site;
ssl on;
ssl_certificate one.site.cert;
...
}
> On Wed, Jul 14, 2010 at 2:01 PM, Alex Sergeyev <asergeyev@dyn.com> wrote:
>
> > Tiago if (by any chance) your site names are in same domain - you may
> > consider non-EV but WILDCARD certificate for *.domain.tld
> >
> > Alex.
> >
> >
> > On Wed, 2010-07-14 at 13:17 -0300, Tiago Freire wrote:
> > > I was hoping that there would be a configuration option on nginx to
> > > either:
> > > 1) give a 403 error - or whatever error is best fit - when it detects
> > > non-SNI SSL handshake; or
> > > 2) redirect non-SNI SSL handshake traffic to a different virtual
> > > server.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
