Enabling TLS 1.0 / 1.1 on Debian Testing

kmansoft nginx-forum at forum.nginx.org
Thu Nov 15 17:17:39 UTC 2018

Cross posting from https://unix.stackexchange.com/questions/481963, this
seems to be the better place to ask.


Just updated Debian from "stable" 9.* to "testing" 10.*.

Have nginx 1.14 - used to come from "stable backports" now included in
Debian itself.

Seeing a strange issue with TLS versions in nginx.

TLS 1.3 is enabled, and 1.2 is too, but I can't seem to get TLS 1.0 / 1.1
even though they're included in nginx configs.


Oh and by the way, Dovecot running on same system still has TLS 1.0 - 1.1 -
1.2 - 1.3 all functional:


relevant bits from nginx site config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

I tried removing either ssl_protocols or ssl_ciphers or both, nothing
changed really.

Is this an intentional change in nginx - upstream or as packaged by Debian?
A change in openssl itself?

Any way I can enable all TLS versions from 1.0 and up to 1.3 in nginx at the
same time?


Found this in Debian news, basically they've disabled TLS 1.0 / 1.1 - apps
have to ask for these versions specifically:


   * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
     version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
     calling SSL_CTX_set_min_proto_version() or

Is there some way nginx could accommodate this change and make it possible
to enable TLS 1.0 / 1.1?

Maybe consider adding a new config directive like the one used by Dovecot?


It would still allow someone to only use TLS 1.2 and newer, or "TLS 1.0 and
newer" or "TLS 1.1 and newer" without getting overly verbose.

It would also work identical with both OpenSSL variations, with and without
TLS 1.3 support.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281984,281984#msg-281984

More information about the nginx mailing list