Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols per server?

All files from this thread

File Name File Size   Posted by Date  
linkedin.png 655 bytes open | download mike-pt 10/15/2014 Read message
linkedin.png 655 bytes open | download mike-pt 10/16/2014 Read message
Maxim Dounin
October 16, 2014 10:00AM
Hello!

On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote:

> Hum... makes sense when sni is involved yes, but I get the same issue if
> using the same certificate (wildcard) for 2 subdomains our my dev
> environment.
>
> say "blog.domain.com" and "forums.domain.com" and I tested with
> cert/key_path define in the server's blocks and in conf.d/ssl.conf (which
> is read before site-enabled/*) both give the same result
>
> This are curl result with any ssl path/cipher striped form server blocks,
> and in one ssl_protocol as sslv3 (forums) the other does not

[...]

> NOTE: the blog config is read first... if I rename the forums config to
> 00-forums.conf SSLv3 works, but works for both and it should not work for
> blog... so It seems that its not only about sni?

Again: as long as SSLv3 is not enabled in the default server
block, SSLv3 will not work. If it's enabled, it will work for all
virtual servers using the listen socket in question. By chaning
names you effectively change default server for the listen socket in
question (but that's bad and not guaranteed to work, use
"listen ... default_server" instead). That's expected behaviour.

Quoting my previous response here, you may want to re-read it to
make sure you've understood it correctly:

> > When using SSLv3 to connect, settings of the default server{}
> > block will be used. This is because there is no SNI in SSLv3, and
> > hence SSL connection is established in the context of the default
> > server{} block. The appropriate server{} block is then selected
> > based on Host header in an http request, much like it used to work
> > with non-SNI virtual hosting and normal HTTP.
> >
> > That is, by using the "ssl_protocols" directive you can only limit
> > use of SSLv3 for all servers on a particular listen socket, as due
> > to lack of SNI it doesn't make sense in non-default server{}
> > blocks.
> >
> > If you want to limit use of SSLv3 for a particular server only,
> > you have two basic options:
> >
> > - use a separate listen socket for this server (that is, use a
> > separate IP address);
> >
> > - test $ssl_protocol variable during a http request processing and
> > return an error; something like
> >
> > if ($ssl_protocol = "SSLv3") {
> > return 403;
> > }
> >
> > will do the trick.

Addditionally, here are link to article about request processing
in nginx, it explains things about "default_server" and so on:

http://nginx.org/en/docs/http/request_processing.html

Hope this helps.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ssl_protocols per server?

mike-pt October 15, 2014 07:02PM

Re: ssl_protocols per server? Attachments

mike-pt October 15, 2014 07:08PM

Re: ssl_protocols per server?

Francis Daly October 15, 2014 07:14PM

Re: ssl_protocols per server?

mike-pt October 15, 2014 07:38PM

Re: ssl_protocols per server?

mex October 16, 2014 03:15AM

Re: ssl_protocols per server? Attachments

mike-pt October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 10:00AM

Re: ssl_protocols per server?

mike-pt October 16, 2014 10:32AM

Re: ssl_protocols per server?

saravsars November 07, 2014 04:23AM

Re: ssl_protocols per server?

Maxim Dounin November 07, 2014 08:40AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 114
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready