Hi all,
I have a strange problem with nginx:
I tried to harden the TLS stack by setting default to recommended values from https://wiki.mozilla.org/Security/Server_Side_TLS but one server has to keep backward compatibility -- so I set it up as
http {
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
server {
listen 443 spdy;
server_name .foo.com bar.foo.com;
}
server {
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
listen 443 spdy;
server_name foobar.foo.com;
}
}
Problem is that foobar.foo.com starts freezing up randomly after a few seconds -- though sometimes comes back for a short while.
curl from outside reports error as "connection refused"; using curl localhost:443 responds properly with "* SSL: no alternative certificate subject name matches target host name 'localhost'"
CPU usage is not much different from older config; there are no obvious errors in error_log.
Problem goes away if http-level ssl config is commented out (ssl_protocols, especially). I think that indicates this config is not properly parsed at the "server" level (does not override http level?)
Seems that I can use the http-level config inside .foo.com server config without interfering, but I'd like it to be config default instead.
Other notes: 2 nginx hosts in questions are behind a hardware load balancer
I have a strange problem with nginx:
I tried to harden the TLS stack by setting default to recommended values from https://wiki.mozilla.org/Security/Server_Side_TLS but one server has to keep backward compatibility -- so I set it up as
http {
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
server {
listen 443 spdy;
server_name .foo.com bar.foo.com;
}
server {
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
listen 443 spdy;
server_name foobar.foo.com;
}
}
Problem is that foobar.foo.com starts freezing up randomly after a few seconds -- though sometimes comes back for a short while.
curl from outside reports error as "connection refused"; using curl localhost:443 responds properly with "* SSL: no alternative certificate subject name matches target host name 'localhost'"
CPU usage is not much different from older config; there are no obvious errors in error_log.
Problem goes away if http-level ssl config is commented out (ssl_protocols, especially). I think that indicates this config is not properly parsed at the "server" level (does not override http level?)
Seems that I can use the http-level config inside .foo.com server config without interfering, but I'd like it to be config default instead.
Other notes: 2 nginx hosts in questions are behind a hardware load balancer