Weird proxy_ssl_protocol ordering

bclod nginx-forum at forum.nginx.org
Fri Jan 13 17:33:16 UTC 2017


Hello All,

I found some strange behavior while troubleshooting a connectivity issue
today.  Below was the scenario.

* Upstream Backend configured to allow TLSv1.1 and TLSv1.2
* Client (nginx) configured with proxy_ssl_protocols TLSv1 TLSv1.2

No matter the ordering of nginx proxy_ssl_protocols TLSv1 was always
attempted first and the handshake would fail. Once I added TLSv1.1 it caused
TLSv1.2 to be attempted first which would be successful to the Server.

Is this a bug?  I always assumed that nginx would default to highest
supported protocol outbound; but it seems that "TLSv1 TLSv1.2" might
introduce some sort of strange ordering issue.

We're using openresty 1.11.2.1.1 which internally uses nginx 1.11.2.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271984,271984#msg-271984



More information about the nginx mailing list