config for ssl_reject_handshake off;

[revanth-Infoworks]

Is there way to configure to ssl_reject_handshake off?
As I understand, the current logic is, if there are no certs specified by default, then it is set to "on".

For some testing, I want to set this to off, is there a way for this?
Thanks in advance.

[oseoin]

Hi @revanth-Infoworks, assuming that creating your own certificate for default termination does not fit your use case, for now the only option would be to use a custom template to hardcode the directive to off. If you have any more details on your use case we could check if there are any alternatives? Thanks!

[jasonwilliams14]

@revanth-Infoworks ssl_reject_handshake off is only set for the default_server. If you apply your own certificates, it will not be set. Otherwise, you have to modify the templates as @oseoin suggested.

[brianehlert]

@revanth-Infoworks Did you get your question answered? Or do you still have questions?

[revanth-Infoworks]

Thanks @oseoin and @jasonwilliams14 for your answers.

My use case is that I am migrating from https://github.com/kubernetes/ingress-nginx for our current setup.
We use cloudflare proxy for the dns records and do not apply our own certs in the ingress definition.
ingress-nginx does not seems to have ssl_reject_handshake on in this case hence caused difference in behaviour during migration.

However the answer provided here is useful for me. Thanks for the help.

[brianehlert]

Yes. This is security enhancement unique to this implementation.
When a default certificate is not provided, this project will enable ssl_reject_handshake when the traffic does not match a configured hostname and path.
Thus the ssl connection is terminated immediately and no TLS settings or cyphers are revealed when ssl is used by malicious actors to probe your site. It also reduces overhead because time is not spent on beginning the ssl handshake process for not matching traffic.