ssl_protocols don't respected

Frank Liu gfrankliu at gmail.com
Sat Jul 3 04:47:11 UTC 2021 

See this ticket: https://trac.nginx.org/nginx/ticket/844

On Fri, Jul 2, 2021 at 9:05 AM Alfred Sawaya <alfred at huji.fr> wrote:

> Sorry, don't bother.
>
> It is because the default value is inherited from the http block.
>
> And if the ssl_protocols is not specified in the http block, then the
> default value is to enable TLS 1, 1.1 and 1.2
>
>
> Maybe it would be more natural to no inherit for this directive if it is
> specified in an underlying block.
>
>
> Alfred
>
>
> On 02/07/2021 18:00, Alfred Sawaya wrote:
> > Hello,
> >
> >
> > I am trying to configure an nginx that can accept only one ssl
> > protocols. In order to do that, I tried to set ssl_protocols to only one
> > protocol, but it does not work.
> >
> > The server always accept all TLS versions.
> >
> >
> > I found that in the source code :
> >
> > src/http/modules/ngx_http_ssl_module.c : 673
> >
> >     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
> >                          (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
> >                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
> >
> >
> > So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather
> > respect the directive ssl_protocls, shouldn't it ?
> >
> > Why it is not :
> >
> > ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
> >                          (NGX_CONF_BITMASK_SET));
> >
> > With a if juste before calling nginx_ssl_create to set conf->protocols
> > to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if
> > conf->protocols == 0 ?
> >
> >
> > (I also tried to use ssl_conf_command with MinProtocol and MaxProtocol,
> > it does not work either...)
> >
> >
> > Thank you,
> >
> > Alfred
> >
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20210702/c871d61b/attachment.htm>

More information about the nginx-devel mailing list