0

I'm painfully aware that using the ssl equivalent of:

server {
        listen 80;
        return 444;
}

kills all ssl exchanges, meanwhile, without something of the sort, nginx happily serve a random virtual host. Instead of trying to gracefully end the connection, I would like nginx to simply terminate the tcp connection. If I'm not mistaken, the ssl has to send the domain as part of the negotiation. I would like nginx to simply close the connection if it can't find a virtual host that matches the domain the client is asking for. How could I do this? Should I use a middleman?

If a correct domain is give:

1. C: (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to 'site.example.com'.
2. S: (TLS Handshake) Hi There, Here is my Public Certificate, and lets use this encryption algorithm.

Now an invalid one:

1. C: (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to 'invalid-domain.com'.
2. S: CLOSE
Improve this question
3
  • You can't do that. The TLS handshake happens in OpenSSL and is complete before nginx gets a chance to do anything.
    – Michael Hampton
    Commented Feb 14, 2017 at 16:27
  • @MichaelHampton would a middle man, like haproxy, be able to improve this? Or all ssl servers treat openssl as a blackbox?
    – Braiam
    Commented Feb 14, 2017 at 16:30
  • It pretty much IS a black box. And not one you want to go messing around with for trivial reasons. Crypto is very easy to screw up.
    – Michael Hampton
    Commented Feb 14, 2017 at 16:31

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .