id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 726 NGINX will use least level of security for SSL with SNI enabled. Null Blank "When utilizing SNI feature, the SSL security level may be breached due to unrelated site configuration. For example, a secure sub domain (secure.example.com) uses TLS and specific set of ciphers only. In the mean time all normal sub domains (www.example.com) on the same host uses default SSL configuration. With a valid wildcard *.example.com certification deployed, one can successfully connect to secure.example.com with banned ciphers. I understand that SSL protocol and ciphers are determined at handshaking stage, when no SNI feature involved. But I still believe that we could do better, for example, close the connection with 403 or no data at all when we found connection state is inconsistent with the requirements." defect closed major nginx-core 1.2.x wontfix ssl, sni Linux example 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux "nginx version: nginx/1.2.1 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-upstream-fair --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-dav-ext-module"