Nginx 中每个服务器的不同 TLS 协议 [英] Different TLS protocols per server in Nginx
问题描述
我用两个不同的证书为两个 TLS 虚拟主机example.one"和example.two"配置了 Nginx.
I configured Nginx for two TLS virtualhost 'example.one' and 'example.two' with two different certficates.
我需要为第一个设置 TLS1.0+,第二个只设置 TLS1.2.但是第二个(example.two)配置忽略 ssl_protocols 指令并从第一个服务器指令中获取 ssl_procolols.
I need to setup TLS1.0+ for the first one and only TLS1.2 for the second one. However the second one (example.two) configuration ignores ssl_protocols directive and takes ssl_procolols from first server directive.
所以两个服务器指令都使用第一个配置的 ssl_protocols 指令.
So both server directive uses the first configured ssl_protocols directive.
server {
listen 443 default_server ssl spdy;
server_name example.one;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /certs/cert-for-example.one.pem;
ssl_certificate_key /certs/privkey-for-example.one.pem;
# another ssl_* directives ...
}
server {
listen 443 ssl spdy;
server_name example.two;
ssl_protocols TLSv1.2;
ssl_certificate /certs/cert-for-example.two.pem;
ssl_certificate_key /certs/privkey-for-example.two.pem;
# another ssl_* directives ...
}
我不想使用 SSL3,所以 TLS SNI 应该可以正常工作.而且我不关心没有 TLS SNI 支持的客户端.
I don't want to use SSL3 so the TLS SNI should work fine. And I don`t care about clients without TLS SNI support.
只有相关信息,我发现是这里.它说,Openssl 负责.
Only relevent information, i found is here. It says, Openssl is responsible.
我做错了吗?或者有解决方法吗?(除了服务器指令的单独 IP 地址,但我不想回到石器时代)
Am I doing something wrong ? Or is there a workaround for this ? (Except separate IP adress for server directive, but I don`t wanna go back to Stone Age)
我在 Debian Wheezy 上使用 Nginx/1.6.2、OpenSSL 1.0.1e.
I use Nginx/1.6.2, OpenSSL 1.0.1e on Debian Wheezy.
推荐答案
作为一种解决方法,可以使用 ssl_ciphers
指令来限制 TLS 协议版本.提供 TLSv1.2 特定密码套件将有效防止较低 TLS 版本的握手.所以,对于上面的例子,
As a workaround, there are a possible to restrict TLS protocol version using ssl_ciphers
directive. Supplying TLSv1.2 specific cipher suites will effectively prevent handshake for lower TLS versions. So, for above example,
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256';
而不是 ssl_protocols TLSv1.2;
可以解决问题.
instead ssl_protocols TLSv1.2;
will do the trick.
这篇关于Nginx 中每个服务器的不同 TLS 协议的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!