Is there any possibility of allowing the use of SSL without the
ssl_certificate option in nginx?
Before you say I’m crazy, hear me out. I want to operate servers where
security is not required (the same content is served over HTTP) but it
would be nice to offer some encryption for people who desire it. I also
very strongly do not want to bother with certificates, especially as
those certificates would be self-signed and consequently offer zero
extra security assurance over anonymous DH mode.
The nginx config I want looks something like this:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
}
}
I would happily settle for:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
ssl_without_certificate_because_im_crazy on;
}
}
Right now, I have to use:
http {
server {
listen 443;
ssl on;
ssl_ciphers ADH:aNULL:eNULL;
ssl_certificate /some/x509/cert/which/will/never/be/used.pem;
ssl_certificate_key /some/x509/cert/which/will/never/be/used.pem;
}
}
I can’t even use /dev/null because nginx croaks on an invalid
certificate.
It’s a minor grief, certainly, but there really are perfectly valid SSL
modes that don’t involve a certificate on the server side and I’m hoping
to avoid having to create snakeoil certs for all of my servers.
–
-Julian Blake K. [email protected]
If this is a mailing list, please CC me on replies.
vim: set ft=text :
Is there any possibility of allowing the use of SSL without the
ssl_certificate option in nginx?
Your crazy.
Before you say I’m crazy,
Never mind…
hear me out. I want to operate servers where
security is not required (the same content is served over HTTP) but it
would be nice to offer some encryption for people who desire it. I also
very strongly do not want to bother with certificates, especially as
those certificates would be self-signed and consequently offer zero
extra security assurance over anonymous DH mode.
The question you should ask: is any client other than openssl actually
capable of connecting successfully to such a server?
IIRC, Firefox disabled all the “insecure” SSL-ciphers some time ago
anyway…
Rainer
On Wed, Jan 05, 2011 at 10:48:33AM +0100, [email protected] wrote:
The question you should ask: is any client other than openssl actually
capable of connecting successfully to such a server?
IIRC, Firefox disabled all the “insecure” SSL-ciphers some time ago anyway…
Firefox gives an error on connection, but some other browsers connect
just fine; the nginx configuration with a useless certificate works just
fine in practice for my purposes, it’s just not as easy to setup and
deploy. For what it’s worth, the most common clients for these sites by
volume are all libcurl, which works just fine as long as you set the
don’t-verify-peer bits.
We have some patches queued up to send to a few more mainstream
browsers that enable ADH and NULL ciphers such that the lock icons are
not displayed and the URL bar is not colored, leaving the user
experience exactly the same as if no SSL was involved at all, which
seems like a politically acceptable compromise for getting ADH support
back into Firefox et al.
Unfortunately, browsers are complicated and testing all the pathways
involved in treating a SSL connection as an insecure connection is not
trivial, so I’m tilting at your windmill first and will be fighting
those other battles another day.
Rainer
Thanks,
–
-Julian Blake K. [email protected]
If this is a mailing list, please CC me on replies.
vim: set ft=text :