Menu
I configured Nginx for two TLS virtualhost 'example.one' and 'example.two' with two different certficates.
I need to setup TLS1.0+ for the first one and only TLS1.2 for the second one. However the second one (example.two) configuration ignores ssl_protocols directive and takes ssl_procolols from first server directive.
So both server directive uses the first configured ssl_protocols directive.
server {
listen 443 default_server ssl spdy;
server_name example.one;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /certs/cert-for-example.one.pem;
ssl_certificate_key /certs/privkey-for-example.one.pem;
# another ssl_* directives ...
}
server {
listen 443 ssl spdy;
server_name example.two;
ssl_protocols TLSv1.2;
ssl_certificate /certs/cert-for-example.two.pem;
ssl_certificate_key /certs/privkey-for-example.two.pem;
# another ssl_* directives ...
}
I don't want to use SSL3 so the TLS SNI should work fine. And I don`t care about clients without TLS SNI support.
Only relevent information, i found is here. It says, Openssl is responsible.
Am I doing something wrong ? Or is there a workaround for this ? (Except separate IP adress for server directive, but I don`t wanna go back to Stone Age)
I use Nginx/1.6.2, OpenSSL 1.0.1e on Debian Wheezy.
467
It's how ssl works. SSL creates connection first and then does SNI. Nginx will pick up one ssl settings (such as in the default server config) to create the ssl connection. If that config doesn't specify some ssl protocol, that protocol won't be used at all.
So basicly the "per server ssl protocols" won't work as it looks like.
You may try to specify the union set of ssl protocols in the default server config and disable some of them in every server config. I tried this and it worked. But I didn't test every possible case.
You may see the discussion here: http://mailman.nginx.org/pipermail/nginx/2014-November/045733.html
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
