Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols per server?

All files from this thread

File Name File Size   Posted by Date  
linkedin.png 655 bytes open | download mike-pt 10/15/2014 Read message
linkedin.png 655 bytes open | download mike-pt 10/16/2014 Read message
Maxim Dounin
October 16, 2014 09:02AM
Hello!

On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote:

> listen 443 ssl spdy;
>
> Actually but sni is working fine sslabs reports the correct certs... just
> tells me SSLv3 is on in all when its only set for one of the domains...
> At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level
> and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the
> servers/domain I removed that for http block and now have the different
> "ssl_protocols" directive in the corresponding configs and sslabs reports
> the one defined in the first.
>
>
> If I change the order (sslv3 first) sslabs reports all servers/domains have
> sslv3 on but curl fails with "-sslv3" and the error is related to the cert
> name ... but I'm assuming that's just because sni is a TLS extension not
> SSL.. so it actually proves sslv3 is on when it shouldn't be!

When using SSLv3 to connect, settings of the default server{}
block will be used. This is because there is no SNI in SSLv3, and
hence SSL connection is established in the context of the default
server{} block. The appropriate server{} block is then selected
based on Host header in an http request, much like it used to work
with non-SNI virtual hosting and normal HTTP.

That is, by using the "ssl_protocols" directive you can only limit
use of SSLv3 for all servers on a particular listen socket, as due
to lack of SNI it doesn't make sense in non-default server{}
blocks.

If you want to limit use of SSLv3 for a particular server only,
you have two basic options:

- use a separate listen socket for this server (that is, use a
separate IP address);

- test $ssl_protocol variable during a http request processing and
return an error; something like

if ($ssl_protocol = "SSLv3") {
return 403;
}

will do the trick.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ssl_protocols per server?

mike-pt October 15, 2014 07:02PM

Re: ssl_protocols per server? Attachments

mike-pt October 15, 2014 07:08PM

Re: ssl_protocols per server?

Francis Daly October 15, 2014 07:14PM

Re: ssl_protocols per server?

mike-pt October 15, 2014 07:38PM

Re: ssl_protocols per server?

mex October 16, 2014 03:15AM

Re: ssl_protocols per server? Attachments

mike-pt October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 10:00AM

Re: ssl_protocols per server?

mike-pt October 16, 2014 10:32AM

Re: ssl_protocols per server?

saravsars November 07, 2014 04:23AM

Re: ssl_protocols per server?

Maxim Dounin November 07, 2014 08:40AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 126
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready