Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols per server?

All files from this thread

File Name File Size   Posted by Date  
linkedin.png 655 bytes open | download mike-pt 10/15/2014 Read message
linkedin.png 655 bytes open | download mike-pt 10/16/2014 Read message
October 16, 2014 10:32AM
On Thu, Oct 16, 2014 at 2:58 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote:
>
> > Hum... makes sense when sni is involved yes, but I get the same issue if
> > using the same certificate (wildcard) for 2 subdomains our my dev
> > environment.
> >
> > say "blog.domain.com" and "forums.domain.com" and I tested with
> > cert/key_path define in the server's blocks and in conf.d/ssl.conf (which
> > is read before site-enabled/*) both give the same result
> >
> > This are curl result with any ssl path/cipher striped form server blocks,
> > and in one ssl_protocol as sslv3 (forums) the other does not
>
> [...]
>
> > NOTE: the blog config is read first... if I rename the forums config to
> > 00-forums.conf SSLv3 works, but works for both and it should not work for
> > blog... so It seems that its not only about sni?
>
> Again: as long as SSLv3 is not enabled in the default server
> block, SSLv3 will not work. If it's enabled, it will work for all
> virtual servers using the listen socket in question. By chaning
> names you effectively change default server for the listen socket in
> question (but that's bad and not guaranteed to work, use
> "listen ... default_server" instead). That's expected behaviour.
>
> Quoting my previous response here, you may want to re-read it to
> make sure you've understood it correctly:
>

Duh, yes I get it now, its not possible to do this with sslv3 enable by
default (also I do have default_server on ssl.conf)
server {
listen 443 default_server ssl spdy;
server_name _;
ssl_certificate wildcard.crt;
ssl_certificate_key wildcard.key;
}

This just makes it use the cert for all and uses this as default (which as
you say is preferred to just setting it on the server block and expect
nginx uses the first as default.

I was using ssl_protocols TLSv1 TLSv1.1 TLSv1.2; or ssl_protocols SSLv3
TLSv1 TLSv1.1 TLSv1.2; in the servers only and the moved it to ssl.conf.

And what you say is that *the expect behaviour" is that if SSLv3 is on then
its on for all, and if not its off for all, it will use the default config
(or first it grabs although its not the recommend case).

So as I said somewhere before this is indeed on for all or for none, but
its not a bug, its how it works, there is no way around it except using a
different socket (IP) for each server!

I was wrongly expecting it would work different with a wildcard cert.

Thanks for the clarification
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ssl_protocols per server?

mike-pt October 15, 2014 07:02PM

Re: ssl_protocols per server? Attachments

mike-pt October 15, 2014 07:08PM

Re: ssl_protocols per server?

Francis Daly October 15, 2014 07:14PM

Re: ssl_protocols per server?

mike-pt October 15, 2014 07:38PM

Re: ssl_protocols per server?

mex October 16, 2014 03:15AM

Re: ssl_protocols per server? Attachments

mike-pt October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 09:02AM

Re: ssl_protocols per server?

Maxim Dounin October 16, 2014 10:00AM

Re: ssl_protocols per server?

mike-pt October 16, 2014 10:32AM

Re: ssl_protocols per server?

saravsars November 07, 2014 04:23AM

Re: ssl_protocols per server?

Maxim Dounin November 07, 2014 08:40AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 96
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready