Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols & SNI

Previous Message Next Message
Forum List Message List New Topic Print View
B.R. via nginx
January 19, 2017 09:30AM
I acknowledge how that works, although OpenSSL providing more flexibility
over SNI for protocols supporting it would have been appreciated. Too bad.
Thanks Maxim for you always concise and straightforward discerning answers!
---
*B. R.*

On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>
> > Hello,
> >
> > I tried to overload the value of my default ssl_protocols (http block
> > level) in a server block.
> > It did not seem to apply the other value in this virtuel server only.
> >
> > Since I use SNI on my OpenSSL implementation, which perfectly works to
> > support multiple virtual servers, I wonder why this SNI capability isn't
> > leveraged to apply different TLS environment depending on the SNI value
> and
> > the TLS directives configured for the virtual server of the asked domain.
> > Can SNI be used for other TLS configuration directives other than
> > certificates?
> >
> > More generally, is it normal you cannot overload directives such as
> > ssl_protocols or ssl_ciphers in a specific virtual server, using the same
> > socket as others?
> > If positive, would it be possible to use SNI to tweak TLS connections
> > envrionment depending on domain?
>
> You can overload ssl_ciphers. You can't overload ssl_protocols
> because OpenSSL works this way: it selects the protocol used
> before SNI callback (and this behaviour looks more or less natural
> beacause the existance of SNI depends on the protocol used, and,
> for example, you can't enable SSLv3 in a SNI-based virtual host).
>
> In general, whether or not some SSL feature can be tweaked for
> SNI-based virtual hosts depends on two factors:
>
> - if it's at all possible;
> - how OpenSSL handles it.
>
> In some cases nginx also tries to provide per-virtualhost support
> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
> ssl_verify_depth, ssl_prefer_server_ciphers.
>
> --
> Maxim Dounin
> http://nginx.org/
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

ssl_protocols & SNI

B.R. via nginx January 19, 2017 04:06AM

Re: ssl_protocols & SNI

Maxim Dounin January 19, 2017 08:38AM

Re: ssl_protocols & SNI

B.R. via nginx January 19, 2017 09:30AM

Re: ssl_protocols & SNI

B.R. via nginx January 19, 2017 01:10PM

Re: ssl_protocols & SNI

B.R. via nginx January 23, 2017 02:52PM

Re: ssl_protocols & SNI

Frank Liu February 10, 2017 06:20PM

Re: ssl_protocols & SNI

Maxim Dounin February 12, 2017 07:34PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 242
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready