How to force SNI only connections, or have a fallback non-SNI server?

Hi,

I have heard about nginx before, and I am now considering to use it for
several reasons, perfomance is one of them.

I have to put several servers with EV certificates behind a single IP
though, and I noticed nginx supports SNI.

I know that not all browsers support SNI, but we are developing web
applications where we can give ourselves the luxury of being a bit picky
about browser support.

What was not clear in the documentation was: does enabling SNI support
forces all connections to be SNI, or old browsers will still ‘work’?
I understood that old browsers would only be able to go to the default
server.

If running with SNI still accepts old browsers, is there a configuration
option to force SNI-only connections?

Otherwise, is there any way to segregate SNI and non-SNI connections and
send them to different servers?

Best regards

On Tue, Jul 13, 2010 at 04:58:16PM -0300, Tiago Freire wrote:

about browser support.
send them to different servers?
Regardless of server SNI support, old browsers get always certificate
of default server and they complain if a server name does not match
a certificate’s server name. Theoretically after this you may redirect
them to an other server, but it’s too late from user point of view.


Igor S.
http://sysoev.ru/en/

I was hoping that there would be a configuration option on nginx to
either:

  1. give a 403 error - or whatever error is best fit - when it detects
    non-SNI SSL handshake; or
  2. redirect non-SNI SSL handshake traffic to a different virtual server.

Is this list the best place to suggest nginx features?

Tiago if (by any chance) your site names are in same domain - you may
consider non-EV but WILDCARD certificate for *.domain.tld

Alex.

On Wed, Jul 14, 2010 at 01:17:57PM -0300, Tiago Freire wrote:

I was hoping that there would be a configuration option on nginx to either:

  1. give a 403 error - or whatever error is best fit - when it detects
    non-SNI SSL handshake; or
  2. redirect non-SNI SSL handshake traffic to a different virtual server.

Is this list the best place to suggest nginx features?

I do not understand the reason why do you want to detect non-SNI
connections.

If you want to avoid browser message about inappropriate certificate,
then
this is not allowed by SSL protocol: before nginx may show 403 error or
send redirect to a client, the client must to establish SSL connection.
And certificate is indispensable thing during this process.

If you want to show 403 error or send redirect AFTER browser has shown
a message about inappropriate certificate, then you may try this
configuration:

 server {
     listen           443 default;
     server_name      _;
     ssl              on;
     ssl_certificate  dummy.name.cert;
     return           403;
 }

 server {
     listen           443;
     server_name      www.one.site;
     ssl              on;
     ssl_certificate  one.site.cert;
     ...
 }

 server {
     listen           443;
     server_name      www.two.site;
     ssl              on;
     ssl_certificate  two.site.cert;
     ...
 }

 server {
     listen           443;
     server_name      www.three.site;
     ssl              on;
     ssl_certificate  three.site.cert;
     ...
 }

Non-SNI browsers will always get dummy.name.cert, show the message,
and get 403 error.
SNI-enabled browsers will get appropriate certificate and will go
to appropriate site.

though, and I noticed nginx supports SNI.
If running with SNI still accepts old browsers, is there a configuration

Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe


nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx


Igor S.
http://sysoev.ru/en/

On Wed, Jul 14, 2010 at 03:47:29PM -0300, Tiago Freire wrote:

send the URL to which it wants to connect, which is the main ingredient for
them to a different server, or just accept them in the first ssl server.
There is no way to say a browser something like 403 error or redirect
before
SSL handshake finishes. If you mean Apache’s “SSLStrictSNIVHostCheck
on”,
then it starts to work only after a browser has shown a message about
inappropriate certificate name, if you have several sites on single IP.

If you have the only server and want to enable SNI-only access, then
you can use:

 server {
     listen           443 default;
     server_name      _;
     ssl              on;
     ssl_certificate  one.site.cert;
     return           403;
 }

 server {
     listen           443;
     server_name      www.one.site;
     ssl              on;
     ssl_certificate  one.site.cert;
     ...
 }

either:

  1. give a 403 error - or whatever error is best fit - when it detects
    non-SNI SSL handshake; or
  2. redirect non-SNI SSL handshake traffic to a different virtual
    server.


Igor S.
http://sysoev.ru/en/

EV is a requirement because upper management wants the ‘green bar’.

It is my understanding that Apache has a configuration option to force
SNI-only SSL handshake, returning a (user-configurable I believe) error
to
the non-SNI clients, therefore it must be possible to customize the
action
taken about the presence (or absence) of the SNI header.

I am no expert of the bits and bytes, step-by-step of SSL, but from what
I
have read while researching, the SNI specfication dictates that at the
beginning of the handshake to estabish the SSL connection the client
would
send the URL to which it wants to connect, which is the main ingredient
for
SNI to work. Lack of this would indicate a non-SNI connection handshake.

Apache can act on it, I thought nginx could be able to act on it too,
that’s
why I am asking. If nginx does not currently have this functionality, I
see
value in implementing it, and that’s what I would like to propose:

A way to detect and segregate SNI and non-SNI connections before the SSL
handshake finishes (this must be possible because it is the very way SNI
works), and give the nginx administrator configurable options to act
upon
the different connections: give an error on non-SNI connections, or send
them to a different server, or just accept them in the first ssl server.

I have the same problem to solve right now. And I see the good idea to
sort the type of SNI and non-SNI supported browsers.

But I made up that the user can connect to the server thru HTTP (no
SSL), and server determine what kind of browser it is (SNI or non) and
depending on the answer redirects to SSL on 443 (default https) for SNI
and 4433 for non-SNI.

So does anyone see how to determine if the client browser support SNI?

I am not talking about a bunch of ifs (browser.version < … or
browser.version < …).
I need more something like TLS+SNI support - yes|no - maybe this kind of
combination could tell us - ssl_protocols SSLv3 TLSv1;

Thanks,
Chris

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,108417,220893#msg-220893

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs