How to define which SSL certificate nginx sends first with SNI?
I use nginx 1.2.7 with OpenSSL 0.9.8o on Debian Squeeze for about 30 domains. On two of them I enabled SSL which works fine on both.
The SSL config is use for both domains:
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/example.org-unified.crt;
ssl_certificate_key /etc/nginx/ssl/example.org.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security max-age=600000;
Checking both domains with ssllabs.com checker I get for one domain the notice "This site works only in browsers with SNI support.". For the other domain I don't get this message. It seems like nginx by default sends the cert for the alphabetically first domain to clients without SNI support. Can I change this behaviour?
In other words: I want to configure nginx to have one specific domain with SSL working even for clients without SNI support. The other domains should work with SSL as well, but it is OK if it only works on SNI enabled clients.
Thanks!
Solution 1:
The default_server
setting of the listen
directive should determine which certificate is sent for a request without SNI set in the handshake. Change the listen
directive of the desired default:
listen 443 default_server ssl;