ssl_protocols don't respected

Alfred Sawaya alfred at huji.fr
Fri Jul 2 16:05:40 UTC 2021


Sorry, don't bother.

It is because the default value is inherited from the http block.

And if the ssl_protocols is not specified in the http block, then the
default value is to enable TLS 1, 1.1 and 1.2


Maybe it would be more natural to no inherit for this directive if it is
specified in an underlying block.


Alfred


On 02/07/2021 18:00, Alfred Sawaya wrote:
> Hello,
>
>
> I am trying to configure an nginx that can accept only one ssl
> protocols. In order to do that, I tried to set ssl_protocols to only one
> protocol, but it does not work.
>
> The server always accept all TLS versions.
>
>
> I found that in the source code :
>
> src/http/modules/ngx_http_ssl_module.c : 673
>
>     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
>                          (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
>                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
>
>
> So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather
> respect the directive ssl_protocls, shouldn't it ?
>
> Why it is not :
>
> ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
>                          (NGX_CONF_BITMASK_SET));
>
> With a if juste before calling nginx_ssl_create to set conf->protocols
> to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if
> conf->protocols == 0 ?
>
>
> (I also tried to use ssl_conf_command with MinProtocol and MaxProtocol,
> it does not work either...)
>
>
> Thank you,
>
> Alfred
>


More information about the nginx-devel mailing list