Discover Centmin Mod today
Register Now

SSL SNI Support

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Francisco Esteves, Mar 4, 2015.

Tags:
  1. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:57 AM
  2. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:57 AM
    Mainline
    10.2
    I think it's enabled by default.
     
  3. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:57 AM
    Are you sure? We have made a few tests in a few months ago and have conflits with default configuration

    Code:
    listen 443 ssl spdy;
    server_name domain.com;
    
    ssl_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/domaincom/ssl.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    ssl_prefer_server_ciphers on;
    add_header Alternate-Protocol 443:npn-spdy/3;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    #add_header X-Content-Type-Options "nosniff";
    #add_header X-Frame-Options DENY;
    # nginx 1.5.9+ or higher
    # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
    # spdy_headers_comp 0;
    # ssl_buffer_size 4k;
    
    # enable ocsp stapling
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt;
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes SNI is enabled by default but it's only supported for browsers that support SNI.. so winxp browsers do not support SNI

    what specifically do you mean conflicts ? can you elaborate ?
     
  5. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:57 AM
    For example when enter on domain2.com browser load certificate from domain.com. On modern browsers
    We will test this again.

    Thanks,
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+