Hi Maxim, Thanks for explaining why overloading ssl_protocols won't work. Since the problem is with how OpenSSL works, will it work if we use other openssl alternatives? I see people reporting boringssl and libressl work fine with nginx. Does nginx still need to be modified to support overloading ssl_protocols or is it just a matter of library switch?
Thanks! Frank On Thu, Jan 19, 2017 at 5:36 AM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote: > > > Hello, > > > > I tried to overload the value of my default ssl_protocols (http block > > level) in a server block. > > It did not seem to apply the other value in this virtuel server only. > > > > Since I use SNI on my OpenSSL implementation, which perfectly works to > > support multiple virtual servers, I wonder why this SNI capability isn't > > leveraged to apply different TLS environment depending on the SNI value > and > > the TLS directives configured for the virtual server of the asked domain. > > Can SNI be used for other TLS configuration directives other than > > certificates? > > > > More generally, is it normal you cannot overload directives such as > > ssl_protocols or ssl_ciphers in a specific virtual server, using the same > > socket as others? > > If positive, would it be possible to use SNI to tweak TLS connections > > envrionment depending on domain? > > You can overload ssl_ciphers. You can't overload ssl_protocols > because OpenSSL works this way: it selects the protocol used > before SNI callback (and this behaviour looks more or less natural > beacause the existance of SNI depends on the protocol used, and, > for example, you can't enable SSLv3 in a SNI-based virtual host). > > In general, whether or not some SSL feature can be tweaked for > SNI-based virtual hosts depends on two factors: > > - if it's at all possible; > - how OpenSSL handles it. > > In some cases nginx also tries to provide per-virtualhost support > even for things OpenSSL doesn't handle natively, e.g., ssl_verify, > ssl_verify_depth, ssl_prefer_server_ciphers. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
