nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)

Andreas Bartelt nginx at bartelt.name
Mon Nov 30 10:52:38 UTC 2020


Thanks for your reply.

I've recompiled nginx on OpenBSD in order to get rid of the LibreSSL 
version mismatch which is gone now:
# nginx -V
nginx version: nginx/1.18.0
built with LibreSSL 3.3.0

Unfortunately, this didn't solve the problem, i.e., TLS 1.3 is still 
enabled on my OpenBSD/nginx setup with the same nginx.conf.

As I've previously indicated, I've also observed the same problem on a 
fully patched Ubuntu 20.04 system with nginx 1.18.0/OpenSSL 1.1.1f -- 
I'm not sure if this was a misunderstanding since you wrote in past 
tense regarding problems with Ubuntu's repos. Did you also check if TLS 
1.3 is enabled with "ssl_protocols TLSv1.2;" in nginx.conf but got 
different results?

Best regards
Andreas

On 11/29/20 5:23 PM, Thomas Ward wrote:
> We had this problem in Ubuntu's repos until we rebuilt against newer OpenSSL and the TLS 1.3 variables were exposed to NGINX at build time - then you could turn it off in ssl_protocols by not specifying TLSv1.3.However, your case indicates that you are linked (compiled) against older LibreSSL than you are running.  NGINX can't know what newer items are available without a recompile.  This applies to OpenSSL as well.  Its not just what version of the SSL libraries you are running - its what version of the libs you compiled with as well.Sent from my Sprint Samsung Galaxy Note10+.
> -------- Original message --------From: nginx at bartelt.name Date: 11/29/20  10:01  (GMT-05:00) To: nginx at nginx.org Subject: nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols
>    TLSv1.2; " in nginx.conf config) Hello,I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not configured to do so. I've observed this behavior on OpenBSD with (nginx 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0 linked against OpenSSL 1.1.1f). I don't know which release of nginx introduced this bug. From nginx.conf:ssl_protocols TLSv1.2;--> in my understanding, this config statement should only enable TLS 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is implicitly enabled in addition to TLS 1.2.Best regardsAndreas# nginx -Vnginx version: nginx/1.18.0built with LibreSSL 3.2.2 (running with LibreSSL 3.3.0)_______________________________________________nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 



More information about the nginx mailing list