[PATCH] Tests: enabled TLSv1 in ssl_sni_reneg.t
Sergey Kandaurov
pluknet at nginx.com
Tue Jul 11 11:49:12 UTC 2023
> On 10 Jul 2023, at 01:24, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1688521184 -10800
> # Wed Jul 05 04:39:44 2023 +0300
> # Node ID 85188791cd9cf688a29401e31221551345b76ff4
> # Parent c5767845481fc1d7df3e56b604fc4afdeab7be85
> Tests: enabled TLSv1 in ssl_sni_reneg.t.
>
> This fixes running the test with OpenSSL before 1.0.1, where TLSv1.2
> support was introduced.
>
> diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t
> --- a/ssl_sni_reneg.t
> +++ b/ssl_sni_reneg.t
> @@ -41,7 +41,7 @@ http {
>
> ssl_certificate_key localhost.key;
> ssl_certificate localhost.crt;
> - ssl_protocols TLSv1.2;
> + ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
> server {
> listen 127.0.0.1:8443 ssl;
Looks good per se.
Though it doesn't answer how to best handle this in general
after disabling TLSv1 and TLSv1.1 by default (see ticket #1911),
which means unusable default configurations with OpenSSL < 1.0.1.
Updating affected configurations to turn it back might be painful
(nginx-tests is a good such example).
Disabling TLSv1/TLSv1.1 is a reason to also drop support for old
OpenSSL versions before 1.0.1 altogether, that is 0.9.8 and 1.0.0.
(Another option might be to keep TLSv1/TLSv1.1 enabled by default
iff the library doesn't support TLSv1.2 and above.)
For the record, date of the last commit in OpenSSL git branches
and the corresponding date of branch support removal in nginx:
0.9.6 2005-05 2009-06 4y
0.9.7 2008-10 2016-04 7y6m
0.9.8 2015-12 n/a 7y+
1.0.0 2016-02 n/a 7y+
[+] still counting
--
Sergey Kandaurov
More information about the nginx-devel
mailing list