How to define which SSL certificate nginx sends first with SNI?
The default_server setting of the listen directive should determine which certificate is sent for a request without SNI set in the handshake. Change the listen directive of the desired default:
listen 443 default_server ssl;
Related videos on Youtube
06 : 30
03 : 38
06 : 18
10 : 14
01 : 41
Vicral
Updated on September 18, 2022Comments
-
Vicral almost 2 years
I use nginx 1.2.7 with OpenSSL 0.9.8o on Debian Squeeze for about 30 domains. On two of them I enabled SSL which works fine on both.
The SSL config is use for both domains:
listen 443 ssl; ssl_certificate /etc/nginx/ssl/example.org-unified.crt; ssl_certificate_key /etc/nginx/ssl/example.org.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security max-age=600000;Checking both domains with ssllabs.com checker I get for one domain the notice "This site works only in browsers with SNI support.". For the other domain I don't get this message. It seems like nginx by default sends the cert for the alphabetically first domain to clients without SNI support. Can I change this behaviour?
In other words: I want to configure nginx to have one specific domain with SSL working even for clients without SNI support. The other domains should work with SSL as well, but it is OK if it only works on SNI enabled clients.
Thanks!