Learn about Centmin Mod LEMP Stack today
Register Now

SSL SNI Support

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Francisco Esteves, Mar 4, 2015.

Tags:
  1. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:09 PM
  2. RoldanLT

    RoldanLT Well-Known Member

    3,829
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    9:09 PM
    1.11
    10.2
    I think it's enabled by default.
     
  3. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:09 PM
    Are you sure? We have made a few tests in a few months ago and have conflits with default configuration

    Code:
    listen 443 ssl spdy;
    server_name domain.com;
    
    ssl_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/domaincom/ssl.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    ssl_prefer_server_ciphers on;
    add_header Alternate-Protocol 443:npn-spdy/3;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    #add_header X-Content-Type-Options "nosniff";
    #add_header X-Frame-Options DENY;
    # nginx 1.5.9+ or higher
    # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
    # spdy_headers_comp 0;
    # ssl_buffer_size 4k;
    
    # enable ocsp stapling
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt;
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:09 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes SNI is enabled by default but it's only supported for browsers that support SNI.. so winxp browsers do not support SNI

    what specifically do you mean conflicts ? can you elaborate ?
     
  5. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:09 PM
    For example when enter on domain2.com browser load certificate from domain.com. On modern browsers
    We will test this again.

    Thanks,
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:09 PM
    Nginx 1.13.x
    MariaDB 5.5