ssl_reject_handshake
The `ssl_reject_handshake` directive is used to control whether the SSL handshake is rejected based on the configuration's defined criteria.
Description
The ssl_reject_handshake directive provides a mechanism to manage SSL protocol handshakes that occur when clients attempt to establish a secure connection with the server. When enabled, this directive influences the server's behavior upon receiving an SSL handshake request, specifically by denying the handshake attempt based on predefined rules or conditions set in the server configuration.
This directive can be placed within http or server contexts and accepts a flag parameter. The flag can either be on or off, enabling or disabling the rejection of SSL handshakes, respectively. When the directive is set to on, any client requests that do not meet specified criteria will be immediately terminated, preventing the establishment of an SSL connection. This feature is particularly useful for server administrators wanting to enhance security by controlling which clients may initiate SSL handshakes based on their characteristics or behaviors.
It is important to configure this directive in conjunction with other access control directives, such as allow and deny, to fully leverage its capabilities. This ensures that only authorized clients can proceed with the handshake process, thus mitigating the risks associated with unauthorized access and potential vulnerabilities during SSL negotiations.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_reject_handshake on;
}Ensure that SSL/TLS is properly enabled for the server block where this directive is used.
Misconfiguration may lead to legitimate clients being denied access, so carefully test configurations before deploying in production.
Consider the impact on application functionality when rejecting SSL handshakes.