Can NGINX TLSv1.3 support the use of different cipher/hash/MAC for different server of same IP address?

Question

I have two different domains - thisdomain.com and portal.thisdomain.com. But only one public-facing IP address.

Each domains have their own SSL certificates but share same Intermediate CA.

Using the same IP address (and NGINX HTTP server has SNI support), I wanted to offer a different set of TLSv1.2-only cipher/hash/MAC for a different part of the website URL.

Is NGINX able to support different set of cipher/hash/MAC across:

different subdomain of the same domain?

or/and

different URL subdirectory of the same domain?

while using the same IP address?

In the example of different domain, is https://portal.thisdomain.com/ capable of having its own cipher/hash/MAC set over https://thisdomain.com?

In the example of different URL subdirectory, is https://thisdomain.com/portal capable of having its own cipher/hash/MAC set over https://thisdomain.com/?

Actually, Firefox and Chrome already support certain draft versions of TLS 1.3, along with Cloudflare :) — bviktor, Jan 16 '17 at 22:41

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

The majority of your question is answered here: define ssl_ciphers in nginx for each vhost

If your two sites are defined as different vhosts, then you can specify different ciphers for each one.

However, no, you absolutally cannot have sub-directories using different ciphers, as TLS has already been negotiated before the rest of the HTTP request (that includes the path) can be inspected.

edited Apr 13 '17 at 12:14

Community

1

answered Oct 13 '16 at 17:47

Mark Henderson

68,823
31
180
259

For the sake of completeness, I assume that this would rely on SNI to decide which configuration to use? – Håkan Lindqvist Oct 13 '16 at 17:53
Sure, if you have both bindings on the same IP address. But you might not - you might have different IP address bindings for the different hosts. That would not require SNI to determine which binding to use. – Mark Henderson Oct 13 '16 at 17:56
1

Yes, of course. I specifically had the question in mind ("...for different server of same IP address?"). – Håkan Lindqvist Oct 13 '16 at 18:00
Ideally, `nginx.conf` would template as: http { server { listen thisdomain.com 443 http2 ssl; server-name thisdomain.com; root /var/www/vhosts/thisdomain.com/html; ssl-ciphers HIGH:!aNULL:!MD5;; } server { listen thisdomain.com 443 http2 ssl; server-name portal.thisdomain.com; root /var/www/vhosts/portal.thisdomain.com/html; ssl-ciphers aNULL; } } And we use a SSL certificate with several domain names in its AltSubjectName field? – John Greene Jan 09 '17 at 23:02

Can NGINX TLSv1.3 support the use of different cipher/hash/MAC for different server of same IP address?

1 Answers1