id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1192	ssl configuration inherited from the wrong server block	Alexey Ivanov		"I have the following configuration:

{{{
daemon off;
master_process off;

error_log stderr debug;

events {
    worker_connections  1024;
}


http {
    # catch-all HTTPS server
    server {
        listen       127.0.0.1:9443 ssl http2;
        server_name  _;

        ssl_certificate      server.crt;
        ssl_certificate_key  server.key;
        location / {
            return 444;
        }
    }

    # HTTPS server
    server {
        listen       127.0.0.1:9443 ssl http2;
        server_name  example.com;

        # THIS DOES NOT WORK
        ssl_buffer_size 4k;

        ssl_certificate      server.crt;
        ssl_certificate_key  server.key;

        location / {
            root   html;
        }
    }
}
}}}
... its aim is to drop all traffic with domain name != example.com

Though if you `curl` a big file there, e.g.:
{{{
curl -s -o /dev/null -k -v --resolve example.com:9443:127.0.0.1 'https://example.com:9443/somebigfile'
}}}
you can see that nginx is not applying `ssl_buffer_size` from the `server` block with a proper `server_name`, but instead is using 16k (`| fgrep 'SSL_write:'`), which I assume is inherited from block with `server_name _`.

PS. It most likely behaves like that for all `ssl_` directives, including `ssl_certificate` and `ssl_certificate_key`, not only for the `ssl_buffer_size`.
PPS. curl is using SNI, so nginx should have enough data to pick proper server block during the ssl negotiation step."	defect	closed	minor		other	1.11.x	fixed			Linux 3.16.XXXX x86_64	"% ./objs/nginx -V
nginx version: nginx/1.11.10
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
built with OpenSSL 1.0.1 14 Mar 2012
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-debug --with-http_v2_module"