[PATCH] Tests: enabled TLSv1 in ssl_sni_reneg.t

Maxim Dounin mdounin at mdounin.ru
Tue Jul 11 23:43:55 UTC 2023 

Hello!

On Tue, Jul 11, 2023 at 03:49:12PM +0400, Sergey Kandaurov wrote:

> > On 10 Jul 2023, at 01:24, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1688521184 -10800
> > #      Wed Jul 05 04:39:44 2023 +0300
> > # Node ID 85188791cd9cf688a29401e31221551345b76ff4
> > # Parent  c5767845481fc1d7df3e56b604fc4afdeab7be85
> > Tests: enabled TLSv1 in ssl_sni_reneg.t.
> > 
> > This fixes running the test with OpenSSL before 1.0.1, where TLSv1.2
> > support was introduced.
> > 
> > diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t
> > --- a/ssl_sni_reneg.t
> > +++ b/ssl_sni_reneg.t
> > @@ -41,7 +41,7 @@ http {
> > 
> >     ssl_certificate_key localhost.key;
> >     ssl_certificate localhost.crt;
> > -    ssl_protocols TLSv1.2;
> > +    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> > 
> >     server {
> >         listen       127.0.0.1:8443 ssl;
> 
> Looks good per se.

Pushed to http://mdounin.ru/hg/nginx-tests, thanks.

> Though it doesn't answer how to best handle this in general
> after disabling TLSv1 and TLSv1.1 by default (see ticket #1911),
> which means unusable default configurations with OpenSSL < 1.0.1.
> Updating affected configurations to turn it back might be painful
> (nginx-tests is a good such example).

Yep, that's something to consider if/when we'll decide to disable 
TLSv1 and TLSv1.1 by default.

> Disabling TLSv1/TLSv1.1 is a reason to also drop support for old
> OpenSSL versions before 1.0.1 altogether, that is 0.9.8 and 1.0.0.
> (Another option might be to keep TLSv1/TLSv1.1 enabled by default
> iff the library doesn't support TLSv1.2 and above.)
> 
> For the record, date of the last commit in OpenSSL git branches
> and the corresponding date of branch support removal in nginx:
> 
> 0.9.6   2005-05 2009-06 4y
> 0.9.7   2008-10 2016-04 7y6m
> 0.9.8   2015-12 n/a     7y+
> 1.0.0   2016-02 n/a     7y+
> 
> [+] still counting

I tend to think we can more or less safely drop anything below 
OpenSSL 1.0.2 now: last release on the OpenSSL 1.0.1 branch, 
OpenSSL 1.0.1u, was at 2016-09-22, so in terms of dates it's not 
really different from the OpenSSL 1.0.0 branch.  Also, OpenSSL 
releases from the 1.0.1 branch are no longer present in any 
supported OSes I'm aware of.

On the other hand, support for OpenSSL at least back to 0.9.8zh 
does not seem to be a major issue.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list