Weird proxy_ssl_protocol ordering

bclod nginx-forum at
Fri Jan 13 17:33:16 UTC 2017

Hello All,

I found some strange behavior while troubleshooting a connectivity issue
today.  Below was the scenario.

* Upstream Backend configured to allow TLSv1.1 and TLSv1.2
* Client (nginx) configured with proxy_ssl_protocols TLSv1 TLSv1.2

No matter the ordering of nginx proxy_ssl_protocols TLSv1 was always
attempted first and the handshake would fail. Once I added TLSv1.1 it caused
TLSv1.2 to be attempted first which would be successful to the Server.

Is this a bug?  I always assumed that nginx would default to highest
supported protocol outbound; but it seems that "TLSv1 TLSv1.2" might
introduce some sort of strange ordering issue.

We're using openresty which internally uses nginx 1.11.2.

Posted at Nginx Forum:,271984,271984#msg-271984

More information about the nginx mailing list