Any help? --- *B. R.* On Thu, Jan 19, 2017 at 7:07 PM, B.R. <reallfqq-ng...@yahoo.fr> wrote:
> There is something strange, though. > > I configured cipher suites with ssl_ciphers with suites from TLSv1.0 & > TLSv1.2 (TLSv1.1 having no specific cipher suites but merely relying on > thos from TLSv1.0). > Those 3 protocols can be tested successfully when ssl_protocols is at its > default value (TLSv1 TLSv1.1 TLSv1.2 since nginx v1.9.1). > However, trying to remove TLSv1 (thus using TLSv1.1 TLSv1.2 for those who > are following ^^), I cannot connect using neither TLSv1.0 nor TLSv1.1, only > with TLSv1.2 a connection can be established. > > I am probably overlooking something... What is it? > --- > *B. R.* > > On Thu, Jan 19, 2017 at 3:28 PM, B.R. <reallfqq-ng...@yahoo.fr> wrote: > >> I acknowledge how that works, although OpenSSL providing more flexibility >> over SNI for protocols supporting it would have been appreciated. Too bad. >> Thanks Maxim for you always concise and straightforward discerning >> answers! >> --- >> *B. R.* >> >> On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: >> >>> Hello! >>> >>> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote: >>> >>> > Hello, >>> > >>> > I tried to overload the value of my default ssl_protocols (http block >>> > level) in a server block. >>> > It did not seem to apply the other value in this virtuel server only. >>> > >>> > Since I use SNI on my OpenSSL implementation, which perfectly works to >>> > support multiple virtual servers, I wonder why this SNI capability >>> isn't >>> > leveraged to apply different TLS environment depending on the SNI >>> value and >>> > the TLS directives configured for the virtual server of the asked >>> domain. >>> > Can SNI be used for other TLS configuration directives other than >>> > certificates? >>> > >>> > More generally, is it normal you cannot overload directives such as >>> > ssl_protocols or ssl_ciphers in a specific virtual server, using the >>> same >>> > socket as others? >>> > If positive, would it be possible to use SNI to tweak TLS connections >>> > envrionment depending on domain? >>> >>> You can overload ssl_ciphers. You can't overload ssl_protocols >>> because OpenSSL works this way: it selects the protocol used >>> before SNI callback (and this behaviour looks more or less natural >>> beacause the existance of SNI depends on the protocol used, and, >>> for example, you can't enable SSLv3 in a SNI-based virtual host). >>> >>> In general, whether or not some SSL feature can be tweaked for >>> SNI-based virtual hosts depends on two factors: >>> >>> - if it's at all possible; >>> - how OpenSSL handles it. >>> >>> In some cases nginx also tries to provide per-virtualhost support >>> even for things OpenSSL doesn't handle natively, e.g., ssl_verify, >>> ssl_verify_depth, ssl_prefer_server_ciphers. >>> >>> -- >>> Maxim Dounin >>> http://nginx.org/ >>> >> >> >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
