I'm trying to setup a hostname to demonstrate a poor SSL config and I'm having some issues. I can specify some bad cipher suites, but nginx seems to ignore the protocol selection.
server {
listen 443 spdy ssl;
keepalive_timeout 70;
server_name example.co.uk;
client_max_body_size 10M;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
server {
listen 443 spdy ssl;
keepalive_timeout 70;
server_name weak.example.co.uk;
client_max_body_size 10M;
ssl_certificate /path/to/weakssl.crt;
ssl_certificate_key /path/to/weakssl.key;
ssl_protocols SSLv3;
...
}
Nginx can use the different cipher suites I have specified, but seems to use the protocols from the first server block across the board such that weak.example.co.uk has TLSv1/1.1/1.2 and no SSLv3 support.
Is it possible to specify different protocols for each server block?
Best Answer
This seems to be a bug in nginx. I just had this now, took me a while to figure it out.
It's always only using the
ssl_protocols
directive from the first server block. In my case I have many virtual servers running on the same instance, so I used thenginx -T
command to display the full combined config to figure out which server block was the "first" since I have split it up into many separate config files.At time of writing I'm trying this on Ubuntu 14.04.5 with nginx installed from the
ondrej/nginx
PPA. Specifically I'm running nginx 1.10.2 built with OpenSSL 1.0.2j.Output of
nginx -V