ssl_protocols dont work in multi virtual servers #624

AncientDragon · 2025-04-08T12:05:34Z

AncientDragon
Apr 8, 2025

Environment

Include the result of the following commands:

1.27.4
3.10.0-1160.119.1.el7.x86_64 #

Description

ssl_protocols dont work in multi virtual servers

nginx configuration

server {
listen 80;
listen 443 ssl;
server_name a.xxx.com;
access_log /data/logs/nginx/a.xxx.com_access.log main;
error_log /data/logs/nginx/a.xxx.com_error.log warn;
ssl_certificate /data/servers/nginx/sslkey/xxx.com.pem;
ssl_certificate_key /data/servers/nginx/sslkey/xxx.com.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!3DES;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 20m;
location / {
return 200 'a';
}
}
server {
listen 80;
listen 443 ssl;
server_name b.xxx.com;
access_log /data/logs/nginx/b.xxx.com_access.log main;
error_log /data/logs/nginx/b.xxx.com_error.log warn;
ssl_certificate /data/servers/nginx/sslkey/xxx.com.pem;
ssl_certificate_key /data/servers/nginx/sslkey/xxx.com.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!3DES;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 20m;
location / {
return 200 'b';
}
}

nginx debug log

[root@pld1ljhlwtc01 sslkey]# openssl s_client -connect b.xxx.com:443 -tls1_1
CONNECTED(00000003)
139758139336592:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70
139758139336592:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1744113791
Timeout : 7200 (sec)
Verify return code: 0 (ok)

[root@pld1ljhlwtc01 sslkey]# openssl s_client -connect b.xxx.com:443 -tls1_2
CONNECTED(00000003)
depth=3 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = "DigiCert, Inc.", CN = DigiCert Basic OV G2 TLS CN RSA4096 SHA256 2022 CA1
verify return:1

HanadaLee · 2025-04-08T15:11:50Z

HanadaLee
Apr 8, 2025

You must specify sni in your openssl test command. Otherwise the default server configuration will be used, i.e. a.xxx.com

openssl s_client -connect b.xxx.com:443 -tls1_1 -servername b.xxx.com

0 replies

AncientDragon · 2025-04-08T15:50:53Z

AncientDragon
Apr 8, 2025
Author

You must specify sni in your openssl test command. Otherwise the default server configuration will be used, i.e. a.xxx.com
openssl s_client -connect b.xxx.com:443 -tls1_1 -servername b.xxx.com

Thx, But,it does not work:
openssl s_client -connect b.xxx.com:443 -tls1_1 -servername b.xxx.com
CONNECTED(00000003)
139945043396496:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70
139945043396496:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1744127253
Timeout : 7200 (sec)
Verify return code: 0 (ok)

0 replies

viktorberezikov · 2025-04-14T15:19:46Z

viktorberezikov
Apr 14, 2025
Collaborator

I suggest referring to the documentation. Certain directives should be specified with caution:

in case of the ssl_protocols directive, the protocol list is set by the OpenSSL library before the server configuration could be applied according to the name requested through SNI, thus, protocols should be specified only for a default server;

More information here:
https://nginx.org/en/docs/http/server_names.html#virtual_server_selection

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ssl_protocols dont work in multi virtual servers #624

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

ssl_protocols dont work in multi virtual servers #624

AncientDragon Apr 8, 2025

Environment

Description

nginx configuration

nginx debug log

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

Replies: 3 comments

HanadaLee Apr 8, 2025

AncientDragon Apr 8, 2025 Author

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

viktorberezikov Apr 14, 2025 Collaborator

AncientDragon
Apr 8, 2025

HanadaLee
Apr 8, 2025

AncientDragon
Apr 8, 2025
Author

viktorberezikov
Apr 14, 2025
Collaborator