Nginx and TLSv1
Scott Larson
stl at wiredrive.com
Fri Oct 24 17:03:51 UTC 2014
TLS 1.1 and 1.2 require nginx be built against the 1.0.1 branch of OpenSSL, or the subsequent Libre and Boring forks of it. Odds are high that if you have servers running the old 0.8.x branch of nginx it is also running the old 0.9.8 branch of OpenSSL. As for whether or not it’s okay to run purely TLSv1 on the nginx 0.8.55 systems it depends on your willingness to accept the caveats that there are known and likely unknown horrors lurking in that old version of OpenSSL and the TLSv1 protocol itself is looking a bit rickety these days.
Personally, if I’m going to run a site requiring SSL, then I’m going to do it right and not be rolling out potentially compromised libraries/protocols/ciphers.
__________________
Scott Larson
Systems Administrator
Wiredrive/LA
310 823 8238 ext. 1106
310 943 2078 fax
www.wiredrive.com <http://www.wiredrive.com/>
www.twitter.com/wiredrive <http://www.twitter.com/wiredrive>
www.facebook.com/wiredrive <http://www.wiredrive.com/facebook>
> On Oct 24, 2014, at 9:09 AM, teddymills <nginx-forum at nginx.us> wrote:
>
> I have abut 10 nginx servers, versions 1.0.15 and 0.8.55.
>
> I am patching for the poodle, so:
>
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
> is accept by nginx 1.0.15 but not 0.8.55
>
> I would prefer to use just TLSv1 on 0.8.55 if using just TLSv1 is okay.
>
> Or would upgrading the nginxs be required ?
>
> I dont want to upgrade the older nginx unless absolutely required.
>
> TIA
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254249,254249#msg-254249
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141024/c4e43b64/attachment.html>
More information about the nginx
mailing list