Nope, you only have a couple of choices.
1) Abort the TLS handshake, the client will get an error (thats your ERR_SSL_PROTOCOL_ERROR)
2) Present a default/fallback cert and key and hope the client isn't verifying certs
3) Try and generate a LetsEncrypt cert on the fly! See this thread https://groups.google.com/forum/?fromgroups=#!searchin/openresty-en/letsencrypt/openresty-en/g_Ynyfrrjdg/d-W0B0FsBQAJ
This handshake phase all happens before any HTTP protocol stuff happens, so you can't return an HTTP error yet.
If you go with 2) and the client still sends an HTTP request (i.e. It ignores the cert mismatch) then you can return whatever HTTP stuff you want.
Your best bet is to just have a default cert / key configured in the config file really :)
Hamish
On Thursday, 19 May 2016 13:33:40 UTC+1, AL wrote:
Suppose that we want to serve different ssl certs for different SNIs, but there is no "fallback"/default cert (unlike in
https://github.com/openresty/lua-resty-core/issues/28).
How can we handle the case of an unknown SNI host most graciously? Calling ngx.exit() with ngx.ERROR or 404 causes an
ERR_SSL_PROTOCOL_ERROR message. Is it possible to somehow render a 404, or redirect to the http protocol and then render a 404?
