Hello
>When using SSLv3 to connect, settings of the default server{}
>block will be used. This is because there is no SNI in SSLv3, and
>hence SSL connection is established in the context of the default
>server{} block
Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in effect.
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1.1 TLSv1.2;
}
server {
listen 443 ssl default_server;
server_name "";
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
openssl s_client -connect a.example.com:443 -servername a.example.com -tls1 (success)
TLSv1 is disabled in a.example.com but TLSv1 request is successful.
server {
listen 443 ssl;
server_name a.example.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
server {
listen 443 ssl default_server;
server_name "";
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_protocols TLSv1.2;
}
openssl s_client -connect a.example.com:443 -servername a.example.com -tls1_1 (failed)
TLSv1, TLSv1.1, TLSv1.2 is enabled for a.example.com but TLSv1 and TLSv1.1 requests get failed.
So, even with SNI clients default_server "ssl_protocols" is only selected.