Hum... makes sense when sni is involved yes, but I get the same issue if using the same certificate (wildcard) for 2 subdomains our my dev environment.
say "blog.domain.com" and "forums.domain.com" and I tested with cert/key_path define in the server's blocks and in conf.d/ssl.conf (which is read before site-enabled/*) both give the same result This are curl result with any ssl path/cipher striped form server blocks, and in one ssl_protocol as sslv3 (forums) the other does not ~% curl -sslv3 -I -uuser:pass https://blog.domain.com * Rebuilt URL to: https://blog.domain.com/ * Hostname was NOT found in DNS cache * Trying 1.2.3.4... * Connected to blogdev.domain.com (1.2.3.4) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection 0 ~% curl -sslv3 -I -uuser:pass https://orums.domain.com * Rebuilt URL to: https://forums.domain.com/ * Hostname was NOT found in DNS cache * Trying 1.2.3.4... * Connected to testforums.domain.com (1.2.3.4) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection 0 NOTE: the blog config is read first... if I rename the forums config to 00-forums.conf SSLv3 works, but works for both and it should not work for blog... so It seems that its not only about sni? Melhores Cumprimentos // Best Regards ----------------------------------------------- *Miguel Clara* *IT - Sys Admin & Developer* *E-mail: *[email protected] www.linkedin.com/in/miguelmclara/ On Thu, Oct 16, 2014 at 2:01 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote: > > > listen 443 ssl spdy; > > > > Actually but sni is working fine sslabs reports the correct certs... just > > tells me SSLv3 is on in all when its only set for one of the domains... > > At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level > > and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the > > servers/domain I removed that for http block and now have the different > > "ssl_protocols" directive in the corresponding configs and sslabs reports > > the one defined in the first. > > > > > > If I change the order (sslv3 first) sslabs reports all servers/domains > have > > sslv3 on but curl fails with "-sslv3" and the error is related to the > cert > > name ... but I'm assuming that's just because sni is a TLS extension not > > SSL.. so it actually proves sslv3 is on when it shouldn't be! > > When using SSLv3 to connect, settings of the default server{} > block will be used. This is because there is no SNI in SSLv3, and > hence SSL connection is established in the context of the default > server{} block. The appropriate server{} block is then selected > based on Host header in an http request, much like it used to work > with non-SNI virtual hosting and normal HTTP. > > That is, by using the "ssl_protocols" directive you can only limit > use of SSLv3 for all servers on a particular listen socket, as due > to lack of SNI it doesn't make sense in non-default server{} > blocks. > > If you want to limit use of SSLv3 for a particular server only, > you have two basic options: > > - use a separate listen socket for this server (that is, use a > separate IP address); > > - test $ssl_protocol variable during a http request processing and > return an error; something like > > if ($ssl_protocol = "SSLv3") { > return 403; > } > > will do the trick. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
