EV is a requirement because upper management wants the 'green bar'.<div><br></div><div>It is my understanding that Apache has a configuration option to force SNI-only SSL handshake, returning a (user-configurable I believe) error to the non-SNI clients, therefore it must be possible to customize the action taken about the presence (or absence) of the SNI header.</div>
<div><br></div><div>I am no expert of the bits and bytes, step-by-step of SSL, but from what I have read while researching, the SNI specfication dictates that at the beginning of the handshake to estabish the SSL connection the client would send the URL to which it wants to connect, which is the main ingredient for SNI to work. Lack of this would indicate a non-SNI connection handshake.</div>
<div><br></div><div>Apache can act on it, I thought nginx could be able to act on it too, that's why I am asking. If nginx does not currently have this functionality, I see value in implementing it, and that's what I would like to propose:</div>
<div><br></div><div>A way to detect and segregate SNI and non-SNI connections before the SSL handshake finishes (this must be possible because it is the very way SNI works), and give the nginx administrator configurable options to act upon the different connections: give an error on non-SNI connections, or send them to a different server, or just accept them in the first ssl server.</div>
<div><br><div class="gmail_quote">On Wed, Jul 14, 2010 at 2:01 PM, Alex Sergeyev <span dir="ltr"><<a href="mailto:asergeyev@dyn.com">asergeyev@dyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Tiago if (by any chance) your site names are in same domain - you may<br>
consider non-EV but WILDCARD certificate for *.domain.tld<br>
<font color="#888888"><br>
Alex.<br>
</font><div class="im"><br>
<br>
On Wed, 2010-07-14 at 13:17 -0300, Tiago Freire wrote:<br>
> I was hoping that there would be a configuration option on nginx to<br>
> either:<br>
> 1) give a 403 error - or whatever error is best fit - when it detects<br>
> non-SNI SSL handshake; or<br>
> 2) redirect non-SNI SSL handshake traffic to a different virtual<br>
> server.<br>
><br>
<br>
<br>
<br>
<br>
</div><div><div></div><div class="h5">_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://nginx.org/mailman/listinfo/nginx" target="_blank">http://nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-----<br>Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe<br>
</div>