Hello!

On Wed, Sep 06, 2017 at 12:15:33PM +0200, Chase Sillevis via nginx wrote:

> Today I ran into the case that the value for
> ssl_session_timeout was overwritten by a different server block
> (namely, the one with default_server). After asking around in
> the IRC, it seems that this is more or less expected behaviour
> (“I suspect as TLS/SSL is done before HTTP protocol”), however,
> I am left wondering which other variables, besides
> ssl_session_timeout, I should worry about here.
>
> And is this indeed expected behaviour?

When using SSL and name-based virtual servers, there are two basic
cases to consider:

1. Client is not using Server Name Indication (SNI) TLS extension.
This is rare nowadays, though still happens. In this case, all
SSL handshake happens before the client tries to access is even
known, and all ssl_* settings will be applied from the default
server.

2. Client is using SNI. In this case, the name client tries to
connect to is known in advance, and it is possible to apply some
of the ssl_* settings from the relevant name-based virtual server.
Most notably, appropriate SSL certificate will be used. It is not
possible to apply all settings though, mostly due to OpenSSL
limitations. In particular:

- session resumption happens before SNI callback, and hence all
session-related settings will be used from the default server
(ssl_session_*);

- protocol will be fixed by OpenSSL before the SNI extension is
parsed, and hence ssl_protocol will be used from the default
server;

- ssl_ecdh_curve will be used from the default server
(https://trac.nginx.org/nginx/ticket/1089).

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx