There is something strange, though. I configured cipher suites with ssl_ciphers with suites from TLSv1.0 & TLSv1.2 (TLSv1.1 having no specific cipher suites but merely relying on thos from TLSv1.0). Those 3 protocols can be tested successfully when ssl_protocols is at its default value (TLSv1 TLSv1.1 TLSv1.2 since nginx v1.9.1). However, trying to remove TLSv1 (thus using TLSv1.1 TLSv1.2 for those who are following ^^), I cannot connect using neither TLSv1.0 nor TLSv1.1, only with TLSv1.2 a connection can be established.
I am probably overlooking something... What is it? --- *B. R.* On Thu, Jan 19, 2017 at 3:28 PM, B.R. <[email protected]> wrote: > I acknowledge how that works, although OpenSSL providing more flexibility > over SNI for protocols supporting it would have been appreciated. Too bad. > Thanks Maxim for you always concise and straightforward discerning answers! > --- > *B. R.* > > On Thu, Jan 19, 2017 at 2:36 PM, Maxim Dounin <[email protected]> wrote: > >> Hello! >> >> On Thu, Jan 19, 2017 at 10:04:46AM +0100, B.R. via nginx wrote: >> >> > Hello, >> > >> > I tried to overload the value of my default ssl_protocols (http block >> > level) in a server block. >> > It did not seem to apply the other value in this virtuel server only. >> > >> > Since I use SNI on my OpenSSL implementation, which perfectly works to >> > support multiple virtual servers, I wonder why this SNI capability isn't >> > leveraged to apply different TLS environment depending on the SNI value >> and >> > the TLS directives configured for the virtual server of the asked >> domain. >> > Can SNI be used for other TLS configuration directives other than >> > certificates? >> > >> > More generally, is it normal you cannot overload directives such as >> > ssl_protocols or ssl_ciphers in a specific virtual server, using the >> same >> > socket as others? >> > If positive, would it be possible to use SNI to tweak TLS connections >> > envrionment depending on domain? >> >> You can overload ssl_ciphers. You can't overload ssl_protocols >> because OpenSSL works this way: it selects the protocol used >> before SNI callback (and this behaviour looks more or less natural >> beacause the existance of SNI depends on the protocol used, and, >> for example, you can't enable SSLv3 in a SNI-based virtual host). >> >> In general, whether or not some SSL feature can be tweaked for >> SNI-based virtual hosts depends on two factors: >> >> - if it's at all possible; >> - how OpenSSL handles it. >> >> In some cases nginx also tries to provide per-virtualhost support >> even for things OpenSSL doesn't handle natively, e.g., ssl_verify, >> ssl_verify_depth, ssl_prefer_server_ciphers. >> >> -- >> Maxim Dounin >> http://nginx.org/ >> > >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
