After migrating our multi-tenant application to an nginx reverse proxy which has SNI requirements, I encountered an interesting issue while doing some security clean up after a routine PCI scan.
As I understand it, SNI is part of the TLSv1.1 protocol, however we discovered that nginx SNI does not work without the TLSv1 protocol being enabled.
Steps to reproduce:
1. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
2. SNI works as expected
3. PCI scans complain of "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability" CVE-2011-3389
4. ssl_protocols TLSv1.1 TLSv1.2;
5. verify that SNI is now broken
Although not documented, i have found others stating that TLSv1 is required by nginx to support SNI although TLSv1.1 is the earliest implementation of SNI and Apache does not exhibit a similar limitation.
As I understand it, SNI is part of the TLSv1.1 protocol, however we discovered that nginx SNI does not work without the TLSv1 protocol being enabled.
Steps to reproduce:
1. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
2. SNI works as expected
3. PCI scans complain of "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability" CVE-2011-3389
4. ssl_protocols TLSv1.1 TLSv1.2;
5. verify that SNI is now broken
Although not documented, i have found others stating that TLSv1 is required by nginx to support SNI although TLSv1.1 is the earliest implementation of SNI and Apache does not exhibit a similar limitation.