Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols & SNI

Previous Message Next Message
Forum List Message List New Topic Print View
Frank Liu
February 10, 2017 06:20PM
Hi Maxim,

Thanks for explaining why overloading ssl_protocols won't work. Since the
problem is with how OpenSSL works, will it work if we use other openssl
alternatives? I see people reporting boringssl and libressl work fine with
nginx. Does nginx still need to be modified to support overloading
ssl_protocols or is it just a matter of library switch?

Thanks!
Frank



On Thu, Jan 19, 2017 at 5:36 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote:
>
> > Hello,
> >
> > I tried to overload the value of my default ssl_protocols (http block
> > level) in a server block.
> > It did not seem to apply the other value in this virtuel server only.
> >
> > Since I use SNI on my OpenSSL implementation, which perfectly works to
> > support multiple virtual servers, I wonder why this SNI capability isn't
> > leveraged to apply different TLS environment depending on the SNI value
> and
> > the TLS directives configured for the virtual server of the asked domain.
> > Can SNI be used for other TLS configuration directives other than
> > certificates?
> >
> > More generally, is it normal you cannot overload directives such as
> > ssl_protocols or ssl_ciphers in a specific virtual server, using the same
> > socket as others?
> > If positive, would it be possible to use SNI to tweak TLS connections
> > envrionment depending on domain?
>
> You can overload ssl_ciphers. You can't overload ssl_protocols
> because OpenSSL works this way: it selects the protocol used
> before SNI callback (and this behaviour looks more or less natural
> beacause the existance of SNI depends on the protocol used, and,
> for example, you can't enable SSLv3 in a SNI-based virtual host).
>
> In general, whether or not some SSL feature can be tweaked for
> SNI-based virtual hosts depends on two factors:
>
> - if it's at all possible;
> - how OpenSSL handles it.
>
> In some cases nginx also tries to provide per-virtualhost support
> even for things OpenSSL doesn't handle natively, e.g., ssl_verify,
> ssl_verify_depth, ssl_prefer_server_ciphers.
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

ssl_protocols & SNI

B.R. via nginx January 19, 2017 04:06AM

Re: ssl_protocols & SNI

Maxim Dounin January 19, 2017 08:38AM

Re: ssl_protocols & SNI

B.R. via nginx January 19, 2017 09:30AM

Re: ssl_protocols & SNI

B.R. via nginx January 19, 2017 01:10PM

Re: ssl_protocols & SNI

B.R. via nginx January 23, 2017 02:52PM

Re: ssl_protocols & SNI

Frank Liu February 10, 2017 06:20PM

Re: ssl_protocols & SNI

Maxim Dounin February 12, 2017 07:34PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 211
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready