AnsweredAssumed Answered

Is possible to have different TLS protocols for different server names ?

Question asked by Mikes on Dec 1, 2014
Latest reply on Dec 5, 2014 by Mikes

I configured Nginx for two TLS virtualhost 'example.one' and 'example.two' with two different certficates.

I need to setup TLS1.0+ for the first one and only TLS1.2 for the second one. However the second one (example.two) configuration ignores ssl_protocols directive and takes ssl_procolols from first server directive.

So both server directive uses the first configured ssl_protocols directive.

server {

     listen 443 default_server ssl spdy;

     server_name example.one;

 

     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    

     ssl_certificate /certs/cert-for-example.one.pem;

     ssl_certificate_key /certs/privkey-for-example.one.pem;

 

     # another ssl_* directives ...

}

 

server {

     listen 443 ssl spdy;

     server_name example.two;

    

     ssl_protocols TLSv1.2;

 

     ssl_certificate /certs/cert-for-example.two.pem;

     ssl_certificate_key /certs/privkey-for-example.two.pem;

 

     # another ssl_* directives ...

}

I don't want to use SSL3 so the TLS SNI should work fine. And I don`t care about clients without TLS SNI support.

Only relevent information, i found is here. It says, Openssl is responsible.

Am I doing something wrong ? Or is there a workaround for this ? (Except separate IP adress for server directive, but I don`t wanna go back to Stone Age)

I use Nginx/1.6.2, OpenSSL 1.0.1e on Debian Wheezy.

Outcomes