所谓坑爹无极限。
之前debian系列用惯了,再去用CentOS系列就是感觉很坑爹了。
公司的服务器上的nginx怎么配都是只下载默认的ssl证书,根据域名配的证书都不被下载。刚开始还以为是浏览器不支持SNI,但是看了一下Nginx官方的文档,都是已经满足条件了,然后把目光放到nginx本身上来。果然在公司服务器上,nginx -V显示的就是TLS SNI support disabled.
来看官方的说明
In order to use SNI in nginx, it must be supported in both the OpenSSL library with which the nginx binary has been built as well as the library to which it is being dynamically linked at run time. OpenSSL supports SNI since 0.9.8f version if it was built with config option “--enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:
$ nginx -V
...
TLS SNI support enabled
...However, if the SNI-enabled nginx is linked dynamically to an OpenSSL library without SNI support, nginx displays the warning:
nginx was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available
明白了吧。Nginx官方源里面的openssl库太老了。不知SNI,所以你怎么从源代码制定参数和编译都是木有用滴,除非你升级openssl库,或者下openssl源代码重新编译。
要省心还是debian系列舒服啊~~~
关于SNI,以及检测浏览器的SNI支持 Test client-side TLS SNI capability