1

I have setup nginx with SSL (SNI based).

My first served vHost uses

server {
...
    listen 443 ssl;
    server_name host1;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
....

On others vhosts I wanted to be stricter and only allow TLSv1.2

server {
...
    listen 443 ssl;
    server_name host2;
    ssl_protocols TLSv1.2;
....

However, whatever I specify in all host configs except the first one, they all have no effect. The only change that occurs is when I change the first vhost. So host2 ends up with: TLSv1 TLSv1.1 TLSv1.2

It works also the other way round:

  • Only specify TLSv1.2 in first vhost
  • Specify all protocols in upcoming vhosts
  • Result is, all vhosts only use TLSv1.2

Is it not possible to use different protocols on different SSL SNI vhosts?

lockdoc
  • 241
  • 3
  • 8
  • Do you have `ssl_ciphers` and/or `ssl_prefer_server_ciphers` in vhosts? – Drifter104 Mar 24 '16 at 09:43
  • Yes all vhosts have `ssl_prefer_server_ciphers` positively defined and also use either different or the same `ssl_ciphers` (Doesn't matter if they are the same or different, already tried) – lockdoc Mar 24 '16 at 10:09
  • Not so much same v different but specifically what ciphers. If you only enter tlsv1.2 chipers and you prefer server it will only be tls1.2. – Drifter104 Mar 24 '16 at 10:27
  • I guess that's because SSL handshake occurs before nginx knows hostname, so it uses default one – Alexey Ten Mar 24 '16 at 22:56
  • @AlexeyTen however, it works for different ciphers... Any explanation on this? – lockdoc Mar 25 '16 at 16:02
  • Does this answer your question? [Can nginx use different SSL protocols in different server blocks?](https://serverfault.com/questions/627639/can-nginx-use-different-ssl-protocols-in-different-server-blocks) – rink.attendant.6 Apr 29 '20 at 21:37

0 Answers0