[PATCH] Added TLSv1.3 to the default value of ssl_protocols and friends

Sergey Kandaurov pluknet at nginx.com
Tue Mar 28 16:37:02 UTC 2023 

> On 28 Mar 2023, at 18:37, Yaroslav Zhuravlev <yar at nginx.com> wrote:
> 
> 
> 
>> On 24 Mar 2023, at 15:30, Maxim Konovalov <maxim at nginx.com> wrote:
>> 
>> Hi Yar,
>> 
>> On 21.03.2023 00:19, Yaroslav Zhuravlev wrote:
>>> diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml b/xml/en/docs/http/ngx_http_grpc_module.xml
>>> --- a/xml/en/docs/http/ngx_http_grpc_module.xml
>>> +++ b/xml/en/docs/http/ngx_http_grpc_module.xml
>> [...]
>>> @@ -633,7 +633,7 @@
>>>     [<literal>TLSv1.1</literal>]
>>>     [<literal>TLSv1.2</literal>]
>>>     [<literal>TLSv1.3</literal>]</syntax>
>>> -<default>TLSv1 TLSv1.1 TLSv1.2</default>
>>> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
>>> <context>http</context>
>>> <context>server</context>
>>> <context>location</context>
>> 
>> It makes sense to add a history note here and in other modules that have ssl_protocol directive.
> 
> [...]
> 
> Hi Maxim, 
> 
> Thank you for the feedback, the patch was accordingly updated: 
> 
> # HG changeset patch
> # User Yaroslav Zhuravlev <yar at nginx.com>
> # Date 1678486627 0
> #      Fri Mar 10 22:17:07 2023 +0000
> # Node ID 6096d51ff4d2abecc67b47bc09cfbf03be69f7b0
> # Parent  ac7518a1fe1c74daba708e30405a9b5d33f606e1
> Added TLSv1.3 to the default value of ssl_protocols and friends.
> 
> diff --git a/xml/en/docs/http/configuring_https_servers.xml b/xml/en/docs/http/configuring_https_servers.xml
> --- a/xml/en/docs/http/configuring_https_servers.xml
> +++ b/xml/en/docs/http/configuring_https_servers.xml
> @@ -8,7 +8,7 @@
> <article name="Configuring HTTPS servers"
>          link="/en/docs/http/configuring_https_servers.html"
>          lang="en"
> -         rev="13"
> +         rev="14"
>          author="Igor Sysoev"
>          editor="Brian Mercer">
> 
> @@ -31,7 +31,7 @@
>     server_name         www.example.com;
>     ssl_certificate     <b>www.example.com.crt</b>;
>     ssl_certificate_key <b>www.example.com.key</b>;
> -    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
> +    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>     ssl_ciphers         HIGH:!aNULL:!MD5;
>     ...
> }
> @@ -59,7 +59,7 @@
> can be used to limit connections
> to include only the strong versions and ciphers of SSL/TLS.
> By default nginx uses
> -“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>”
> +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>”
> and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
> so configuring them explicitly is generally not needed.
> Note that default values of these directives were
> @@ -110,7 +110,7 @@
> 
>         ssl_certificate     www.example.com.crt;
>         ssl_certificate_key www.example.com.key;
> -        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
> +        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>         ssl_ciphers         HIGH:!aNULL:!MD5;
>         ...
> </programlisting>
> @@ -446,6 +446,11 @@
> <list type="bullet">
> 
> <listitem>
> +Version 1.23.4 and later: the default SSL protocols are TLSv1,
> +TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).
> +</listitem>
> +
> +<listitem>
> Version 1.9.1 and later: the default SSL protocols are TLSv1,
> TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
> </listitem>
> diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml b/xml/en/docs/http/ngx_http_grpc_module.xml
> --- a/xml/en/docs/http/ngx_http_grpc_module.xml
> +++ b/xml/en/docs/http/ngx_http_grpc_module.xml
> @@ -10,7 +10,7 @@
> <module name="Module ngx_http_grpc_module"
>         link="/en/docs/http/ngx_http_grpc_module.html"
>         lang="en"
> -        rev="8">
> +        rev="9">
> 
> <section id="summary">
> 
> @@ -633,7 +633,7 @@
>     [<literal>TLSv1.1</literal>]
>     [<literal>TLSv1.2</literal>]
>     [<literal>TLSv1.3</literal>]</syntax>
> -<default>TLSv1 TLSv1.1 TLSv1.2</default>
> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
> <context>http</context>
> <context>server</context>
> <context>location</context>
> @@ -642,6 +642,13 @@
> Enables the specified protocols for requests to a gRPC SSL server.
> </para>
> 
> +<para>
> +<note>
> +The <literal>TLSv1.3</literal> parameter is used by default
> +since 1.23.4.
> +</note>
> +</para>
> +
> </directive>
> 
> 
> diff --git a/xml/en/docs/http/ngx_http_proxy_module.xml b/xml/en/docs/http/ngx_http_proxy_module.xml
> --- a/xml/en/docs/http/ngx_http_proxy_module.xml
> +++ b/xml/en/docs/http/ngx_http_proxy_module.xml
> @@ -10,7 +10,7 @@
> <module name="Module ngx_http_proxy_module"
>         link="/en/docs/http/ngx_http_proxy_module.html"
>         lang="en"
> -        rev="75">
> +        rev="76">
> 
> <section id="summary">
> 
> @@ -2096,7 +2096,7 @@
>     [<literal>TLSv1.1</literal>]
>     [<literal>TLSv1.2</literal>]
>     [<literal>TLSv1.3</literal>]</syntax>
> -<default>TLSv1 TLSv1.1 TLSv1.2</default>
> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
> <context>http</context>
> <context>server</context>
> <context>location</context>
> @@ -2106,6 +2106,13 @@
> Enables the specified protocols for requests to a proxied HTTPS server.
> </para>
> 
> +<para>
> +<note>
> +The <literal>TLSv1.3</literal> parameter is used by default
> +since 1.23.4.
> +</note>
> +</para>
> +
> </directive>
> 
> 
> diff --git a/xml/en/docs/http/ngx_http_ssl_module.xml b/xml/en/docs/http/ngx_http_ssl_module.xml
> --- a/xml/en/docs/http/ngx_http_ssl_module.xml
> +++ b/xml/en/docs/http/ngx_http_ssl_module.xml
> @@ -10,7 +10,7 @@
> <module name="Module ngx_http_ssl_module"
>         link="/en/docs/http/ngx_http_ssl_module.html"
>         lang="en"
> -        rev="59">
> +        rev="60">
> 
> <section id="summary">
> 
> @@ -76,7 +76,7 @@
>         listen              443 ssl;
>         <emphasis>keepalive_timeout   70;</emphasis>
> 
> -        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
> +        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>         ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
>         ssl_certificate     /usr/local/nginx/conf/cert.pem;
>         ssl_certificate_key /usr/local/nginx/conf/cert.key;
> @@ -595,7 +595,7 @@
>     [<literal>TLSv1.1</literal>]
>     [<literal>TLSv1.2</literal>]
>     [<literal>TLSv1.3</literal>]</syntax>
> -<default>TLSv1 TLSv1.1 TLSv1.2</default>
> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default>
> <context>http</context>
> <context>server</context>
> 
> @@ -609,6 +609,10 @@
> The <literal>TLSv1.3</literal> parameter (1.13.0) works only when
> OpenSSL 1.1.1 or higher is used.
> </note>
> +<note>
> +The <literal>TLSv1.3</literal> parameter is used by default
> +since 1.23.4.
> +</note>
> </para>
> 
> </directive>

[..]

Looks good for me.

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list