[PATCH] Added TLSv1.3 to the default value of ssl_protocols and friends

Yaroslav Zhuravlev yar at nginx.com
Tue Mar 28 14:37:31 UTC 2023



> On 24 Mar 2023, at 15:30, Maxim Konovalov <maxim at nginx.com> wrote:
> 
> Hi Yar,
> 
> On 21.03.2023 00:19, Yaroslav Zhuravlev wrote:
>> diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml b/xml/en/docs/http/ngx_http_grpc_module.xml
>> --- a/xml/en/docs/http/ngx_http_grpc_module.xml
>> +++ b/xml/en/docs/http/ngx_http_grpc_module.xml
> [...]
>> @@ -633,7 +633,7 @@
>>      [<literal>TLSv1.1</literal>]
>>      [<literal>TLSv1.2</literal>]
>>      [<literal>TLSv1.3</literal>]</syntax>
>> -<default>TLSv1 TLSv1.1 TLSv1.2</default>
>> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
>>  <context>http</context>
>>  <context>server</context>
>>  <context>location</context>
> 
> It makes sense to add a history note here and in other modules that have ssl_protocol directive.

[...]

Hi Maxim, 

Thank you for the feedback, the patch was accordingly updated: 

# HG changeset patch
# User Yaroslav Zhuravlev <yar at nginx.com>
# Date 1678486627 0
#      Fri Mar 10 22:17:07 2023 +0000
# Node ID 6096d51ff4d2abecc67b47bc09cfbf03be69f7b0
# Parent  ac7518a1fe1c74daba708e30405a9b5d33f606e1
Added TLSv1.3 to the default value of ssl_protocols and friends.

diff --git a/xml/en/docs/http/configuring_https_servers.xml b/xml/en/docs/http/configuring_https_servers.xml
--- a/xml/en/docs/http/configuring_https_servers.xml
+++ b/xml/en/docs/http/configuring_https_servers.xml
@@ -8,7 +8,7 @@
 <article name="Configuring HTTPS servers"
          link="/en/docs/http/configuring_https_servers.html"
          lang="en"
-         rev="13"
+         rev="14"
          author="Igor Sysoev"
          editor="Brian Mercer">
 
@@ -31,7 +31,7 @@
     server_name         www.example.com;
     ssl_certificate     <b>www.example.com.crt</b>;
     ssl_certificate_key <b>www.example.com.key</b>;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_ciphers         HIGH:!aNULL:!MD5;
     ...
 }
@@ -59,7 +59,7 @@
 can be used to limit connections
 to include only the strong versions and ciphers of SSL/TLS.
 By default nginx uses
-“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>”
+“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>”
 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
 so configuring them explicitly is generally not needed.
 Note that default values of these directives were
@@ -110,7 +110,7 @@
 
         ssl_certificate     www.example.com.crt;
         ssl_certificate_key www.example.com.key;
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         HIGH:!aNULL:!MD5;
         ...
 </programlisting>
@@ -446,6 +446,11 @@
 <list type="bullet">
 
 <listitem>
+Version 1.23.4 and later: the default SSL protocols are TLSv1,
+TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).
+</listitem>
+
+<listitem>
 Version 1.9.1 and later: the default SSL protocols are TLSv1,
 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
 </listitem>
diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml b/xml/en/docs/http/ngx_http_grpc_module.xml
--- a/xml/en/docs/http/ngx_http_grpc_module.xml
+++ b/xml/en/docs/http/ngx_http_grpc_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_grpc_module"
         link="/en/docs/http/ngx_http_grpc_module.html"
         lang="en"
-        rev="8">
+        rev="9">
 
 <section id="summary">
 
@@ -633,7 +633,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -642,6 +642,13 @@
 Enables the specified protocols for requests to a gRPC SSL server.
 </para>
 
+<para>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/en/docs/http/ngx_http_proxy_module.xml b/xml/en/docs/http/ngx_http_proxy_module.xml
--- a/xml/en/docs/http/ngx_http_proxy_module.xml
+++ b/xml/en/docs/http/ngx_http_proxy_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_proxy_module"
         link="/en/docs/http/ngx_http_proxy_module.html"
         lang="en"
-        rev="75">
+        rev="76">
 
 <section id="summary">
 
@@ -2096,7 +2096,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -2106,6 +2106,13 @@
 Enables the specified protocols for requests to a proxied HTTPS server.
 </para>
 
+<para>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/en/docs/http/ngx_http_ssl_module.xml b/xml/en/docs/http/ngx_http_ssl_module.xml
--- a/xml/en/docs/http/ngx_http_ssl_module.xml
+++ b/xml/en/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_ssl_module"
         link="/en/docs/http/ngx_http_ssl_module.html"
         lang="en"
-        rev="59">
+        rev="60">
 
 <section id="summary">
 
@@ -76,7 +76,7 @@
         listen              443 ssl;
         <emphasis>keepalive_timeout   70;</emphasis>
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -595,7 +595,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 
@@ -609,6 +609,10 @@
 The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
 OpenSSL 1.1.1 or higher is used.
 </note>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
 </para>
 
 </directive>
diff --git a/xml/en/docs/http/ngx_http_uwsgi_module.xml b/xml/en/docs/http/ngx_http_uwsgi_module.xml
--- a/xml/en/docs/http/ngx_http_uwsgi_module.xml
+++ b/xml/en/docs/http/ngx_http_uwsgi_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_uwsgi_module"
         link="/en/docs/http/ngx_http_uwsgi_module.html"
         lang="en"
-        rev="49">
+        rev="50">
 
 <section id="summary">
 
@@ -1546,7 +1546,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -1556,6 +1556,13 @@
 Enables the specified protocols for requests to a secured uwsgi server.
 </para>
 
+<para>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/en/docs/mail/ngx_mail_ssl_module.xml b/xml/en/docs/mail/ngx_mail_ssl_module.xml
--- a/xml/en/docs/mail/ngx_mail_ssl_module.xml
+++ b/xml/en/docs/mail/ngx_mail_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_mail_ssl_module"
         link="/en/docs/mail/ngx_mail_ssl_module.html"
         lang="en"
-        rev="26">
+        rev="27">
 
 <section id="summary">
 
@@ -69,7 +69,7 @@
     server {
         listen              993 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -420,7 +420,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>mail</context>
 <context>server</context>
 
@@ -434,6 +434,10 @@
 The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
 OpenSSL 1.1.1 or higher is used.
 </note>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
 </para>
 
 </directive>
diff --git a/xml/en/docs/stream/ngx_stream_proxy_module.xml b/xml/en/docs/stream/ngx_stream_proxy_module.xml
--- a/xml/en/docs/stream/ngx_stream_proxy_module.xml
+++ b/xml/en/docs/stream/ngx_stream_proxy_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_proxy_module"
         link="/en/docs/stream/ngx_stream_proxy_module.html"
         lang="en"
-        rev="31">
+        rev="32">
 
 <section id="summary">
 
@@ -543,7 +543,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 
@@ -551,6 +551,13 @@
 Enables the specified protocols for connections to a proxied server.
 </para>
 
+<para>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/en/docs/stream/ngx_stream_ssl_module.xml b/xml/en/docs/stream/ngx_stream_ssl_module.xml
--- a/xml/en/docs/stream/ngx_stream_ssl_module.xml
+++ b/xml/en/docs/stream/ngx_stream_ssl_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_ssl_module"
         link="/en/docs/stream/ngx_stream_ssl_module.html"
         lang="en"
-        rev="31">
+        rev="32">
 
 <section id="summary">
 
@@ -62,7 +62,7 @@
     server {
         listen              12345 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -444,7 +444,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 
@@ -458,6 +458,10 @@
 The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
 OpenSSL 1.1.1 or higher is used.
 </note>
+<note>
+The <literal>TLSv1.3</literal> parameter is used by default
+since 1.23.4.
+</note>
 </para>
 
 </directive>
diff --git a/xml/ru/docs/http/configuring_https_servers.xml b/xml/ru/docs/http/configuring_https_servers.xml
--- a/xml/ru/docs/http/configuring_https_servers.xml
+++ b/xml/ru/docs/http/configuring_https_servers.xml
@@ -8,7 +8,7 @@
 <article name="Настройка HTTPS-серверов"
          link="/ru/docs/http/configuring_https_servers.html"
          lang="ru"
-         rev="13"
+         rev="14"
          author="Игорь Сысоев"
          editor="Brian Mercer">
 
@@ -30,7 +30,7 @@
     server_name         www.example.com;
     ssl_certificate     <b>www.example.com.crt</b>;
     ssl_certificate_key <b>www.example.com.key</b>;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_ciphers         HIGH:!aNULL:!MD5;
     ...
 }
@@ -58,7 +58,7 @@
 можно ограничить соединения
 использованием только “сильных” версий и шифров SSL/TLS.
 По умолчанию nginx использует
-“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” и
+“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” и
 “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
 поэтому их явная настройка в общем случае не требуется.
 Следует отметить, что значения по умолчанию этих директив несколько раз
@@ -108,7 +108,7 @@
 
         ssl_certificate     www.example.com.crt;
         ssl_certificate_key www.example.com.key;
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         HIGH:!aNULL:!MD5;
         ...
 </programlisting>
@@ -445,6 +445,11 @@
 <list type="bullet">
 
 <listitem>
+Версия 1.23.4 и более поздние: протоколами SSL по умолчанию являются
+TLSv1, TLSv1.1, TLSv1.2 и TLSv1.3 (если поддерживается библиотекой OpenSSL).
+</listitem>
+
+<listitem>
 Версия 1.9.1 и более поздние: протоколами SSL по умолчанию являются
 TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL).
 </listitem>
diff --git a/xml/ru/docs/http/ngx_http_grpc_module.xml b/xml/ru/docs/http/ngx_http_grpc_module.xml
--- a/xml/ru/docs/http/ngx_http_grpc_module.xml
+++ b/xml/ru/docs/http/ngx_http_grpc_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_grpc_module"
         link="/ru/docs/http/ngx_http_grpc_module.html"
         lang="ru"
-        rev="8">
+        rev="9">
 
 <section id="summary">
 
@@ -632,7 +632,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -641,6 +641,13 @@
 Разрешает указанные протоколы для запросов к gRPC SSL-серверу.
 </para>
 
+<para>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/ru/docs/http/ngx_http_proxy_module.xml b/xml/ru/docs/http/ngx_http_proxy_module.xml
--- a/xml/ru/docs/http/ngx_http_proxy_module.xml
+++ b/xml/ru/docs/http/ngx_http_proxy_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_proxy_module"
         link="/ru/docs/http/ngx_http_proxy_module.html"
         lang="ru"
-        rev="75">
+        rev="76">
 
 <section id="summary">
 
@@ -2098,7 +2098,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -2108,6 +2108,13 @@
 Разрешает указанные протоколы для запросов к проксируемому HTTPS-серверу.
 </para>
 
+<para>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/ru/docs/http/ngx_http_ssl_module.xml b/xml/ru/docs/http/ngx_http_ssl_module.xml
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml
+++ b/xml/ru/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_ssl_module"
         link="/ru/docs/http/ngx_http_ssl_module.html"
         lang="ru"
-        rev="59">
+        rev="60">
 
 <section id="summary">
 
@@ -76,7 +76,7 @@
         listen              443 ssl;
         <emphasis>keepalive_timeout   70;</emphasis>
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -600,7 +600,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 
@@ -614,6 +614,10 @@
 Параметр <literal>TLSv1.3</literal> (1.13.0) работает только
 при использовании OpenSSL 1.1.1 и выше.
 </note>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
 </para>
 
 </directive>
diff --git a/xml/ru/docs/http/ngx_http_uwsgi_module.xml b/xml/ru/docs/http/ngx_http_uwsgi_module.xml
--- a/xml/ru/docs/http/ngx_http_uwsgi_module.xml
+++ b/xml/ru/docs/http/ngx_http_uwsgi_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_uwsgi_module"
         link="/ru/docs/http/ngx_http_uwsgi_module.html"
         lang="ru"
-        rev="49">
+        rev="50">
 
 <section id="summary">
 
@@ -1542,7 +1542,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
@@ -1552,6 +1552,13 @@
 Разрешает указанные протоколы для запросов к suwsgi-серверу.
 </para>
 
+<para>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/ru/docs/mail/ngx_mail_ssl_module.xml b/xml/ru/docs/mail/ngx_mail_ssl_module.xml
--- a/xml/ru/docs/mail/ngx_mail_ssl_module.xml
+++ b/xml/ru/docs/mail/ngx_mail_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_mail_ssl_module"
         link="/ru/docs/mail/ngx_mail_ssl_module.html"
         lang="ru"
-        rev="26">
+        rev="27">
 
 <section id="summary">
 
@@ -69,7 +69,7 @@
     server {
         listen              993 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -422,7 +422,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>mail</context>
 <context>server</context>
 
@@ -436,6 +436,10 @@
 Параметр <literal>TLSv1.3</literal> (1.13.0) работает только
 при использовании OpenSSL 1.1.1 и выше.
 </note>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
 </para>
 
 </directive>
diff --git a/xml/ru/docs/stream/ngx_stream_proxy_module.xml b/xml/ru/docs/stream/ngx_stream_proxy_module.xml
--- a/xml/ru/docs/stream/ngx_stream_proxy_module.xml
+++ b/xml/ru/docs/stream/ngx_stream_proxy_module.xml
@@ -9,7 +9,7 @@
 <module name="Модуль ngx_stream_proxy_module"
         link="/ru/docs/stream/ngx_stream_proxy_module.html"
         lang="ru"
-        rev="31">
+        rev="32">
 
 <section id="summary">
 
@@ -543,7 +543,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 
@@ -551,6 +551,13 @@
 Разрешает указанные протоколы для соединений с проксируемым сервером.
 </para>
 
+<para>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
+</para>
+
 </directive>
 
 
diff --git a/xml/ru/docs/stream/ngx_stream_ssl_module.xml b/xml/ru/docs/stream/ngx_stream_ssl_module.xml
--- a/xml/ru/docs/stream/ngx_stream_ssl_module.xml
+++ b/xml/ru/docs/stream/ngx_stream_ssl_module.xml
@@ -9,7 +9,7 @@
 <module name="Модуль ngx_stream_ssl_module"
         link="/ru/docs/stream/ngx_stream_ssl_module.html"
         lang="ru"
-        rev="31">
+        rev="32">
 
 <section id="summary">
 
@@ -62,7 +62,7 @@
     server {
         listen              12345 ssl;
 
-        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
         ssl_certificate     /usr/local/nginx/conf/cert.pem;
         ssl_certificate_key /usr/local/nginx/conf/cert.key;
@@ -447,7 +447,7 @@
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]
     [<literal>TLSv1.3</literal>]</syntax>
-<default>TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
 <context>stream</context>
 <context>server</context>
 
@@ -461,6 +461,10 @@
 Параметр <literal>TLSv1.3</literal> (1.13.0) работает только
 при использовании OpenSSL 1.1.1 и выше.
 </note>
+<note>
+Параметр <literal>TLSv1.3</literal> используется по умолчанию
+начиная с 1.23.4.
+</note>
 </para>
 
 </directive>


More information about the nginx-devel mailing list