All geek questions in one place

Various TLS protocols per server in Nginx

I configured Nginx for two TLS virtualhost "example.one" and "example.two" with two different certficates.

I need to configure TLS1.0 + for the first and only TLS1.2 for the second. However, the second configuration (example.two) ignores the ssl_protocols directive and accepts ssl_procolols from the first server directive.

Thus, both server directives use the first configured ssl_protocols directive.

server { listen 443 default_server ssl spdy; server_name example.one; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /certs/cert-for-example.one.pem; ssl_certificate_key /certs/privkey-for-example.one.pem; # another ssl_* directives ... } server { listen 443 ssl spdy; server_name example.two; ssl_protocols TLSv1.2; ssl_certificate /certs/cert-for-example.two.pem; ssl_certificate_key /certs/privkey-for-example.two.pem; # another ssl_* directives ... }

I do not want to use SSL3 so that TLS SNI works fine. And I don’t care about clients without SNI SNS support.

Only the relevant information I found is here . He says Openssl is responsible.

Am I doing something wrong? Or is there a workaround for this? (Except for a separate IP address for the server directive, but I do not want to return to the Stone Age)

I am using Nginx / 1.6.2, OpenSSL 1.0.1e on Debian Wheezy.

+5
source share
5 answers

How ssl works. SSL first creates a connection, and then performs SNI. Nginx will select one ssl setting (for example, in the default server configuration) to create an ssl connection. If no ssl protocol is specified in this configuration, this protocol will not be used at all.

Thus, "ssl protocols for each server" will not work as it looks.

You can try to specify the unified set of ssl protocols in the default server configuration and disable some of them in each server configuration. I tried this and it worked. But I did not test all possible cases.

You can see the discussion here: http://mailman.nginx.org/pipermail/nginx/2014-November/045733.html

+2
source

As a workaround, it is possible to limit the version of the TLS protocol using the ssl_ciphers directive. The supply of special TLSv1.2 encryption kits will effectively prevent handshaking for lower versions of TLS. So, for the example above,

 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256';

instead of ssl_protocols TLSv1.2; will do the trick.

+2
source

This seems to be a bug in nginx. I also posted this answer at https://serverfault.com/a/827794/318927

It always uses the ssl_protocols directive from the first server block and ignores any subsequent server blocks. In my case, I have many virtual servers running on the same instance, so I used the nginx -T command to display the full combined configuration to find out which server block was the "first" because I split it into many separate configuration files.

At the time of writing, I am trying to do this on Ubuntu 14.04.5 with nginx installed from ondrej/nginx PPA. In particular, I am running nginx 1.10.2, created using OpenSSL 1.0.2j.

nginx -V output nginx -V

 nginx version: nginx/1.10.2 built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_spdy_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-8xB1_y/nginx-1.10.2/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-8xB1_y/nginx-1.10.2/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-8xB1_y/nginx-1.10.2/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-8xB1_y/nginx-1.10.2/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-8xB1_y/nginx-1.10.2/debian/modules/ngx_http_substitutions_filter_module

As a workaround for you, I suggest Anton try: fooobar.com/questions/1207978 / ...

+2
source

Are you using nginx from Dotdeb packages? If yes, then, in my opinion, this is an error in the version of the nginx-common Dotdeb package in version 1.6.x.

I had a similar configuration in ubuntu (nginx 1.6.2-1 ~ dotdeb.0 , openssl 1.0.1-4ubuntu5.20) and I could not access my site using TLSv1.1 or TLSv1 0.2. Setup:

  ssl_protocols TLSv1.2;

made my site inaccessible. Downgradnig nginx to version 1.4.6-1ubuntu3.1 from the default repositories resolved my problem, now TLSv1.2 works again. Therefore, in my opinion, your problem is not “using different ssl_protocoles”, but “using TLSv.1.1 and TLSv1.2 in nginx 1.6.x ~ dotdeb”.

https://www.dotdeb.org/2014/06/30/nginx-1-6-0-has-been-updated-for-wheezy-and-squeeze/#comment-32895

0
source

The server name is determined from the request (either from the TLS extension, if ServerNameIndication is supported and present, or even from an HTTP request). Thus, this is not possible at the time of the handshake or before he finds out which server the client is connecting to, and therefore which settings to use.

Update: Here the person from the nginx team explains why this is not possible (for the same reason I wrote about).

-1
source

Source: https://habr.com/ru/post/1207978/

More articles:


All Articles