ssl_protocols don't respected
Alfred Sawaya
alfred at huji.fr
Fri Jul 2 16:00:34 UTC 2021
Hello,
I am trying to configure an nginx that can accept only one ssl
protocols. In order to do that, I tried to set ssl_protocols to only one
protocol, but it does not work.
The server always accept all TLS versions.
I found that in the source code :
src/http/modules/ngx_http_ssl_module.c : 673
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather
respect the directive ssl_protocls, shouldn't it ?
Why it is not :
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET));
With a if juste before calling nginx_ssl_create to set conf->protocols
to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if
conf->protocols == 0 ?
(I also tried to use ssl_conf_command with MinProtocol and MaxProtocol,
it does not work either...)
Thank you,
Alfred
More information about the nginx-devel
mailing list