TLSv1.3 by default?

Maxim Dounin mdounin at
Fri Nov 23 16:51:00 UTC 2018


On Fri, Nov 23, 2018 at 08:43:03AM -0500, Olaf van der Spek wrote:

> Hi,
> Why isn't 1.3 enabled by default (when available)?
> Syntax:	ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]
> [TLSv1.3];
> Default:	
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

The main reason is that when it was implemented, TLSv1.3 RFC 
wasn't yet finalized, and TLSv1.3 was only available via various 
drafts, and only with pre-release versions of OpenSSL.

Now with RFC 8446 published and OpenSSL 1.1.1 with TLSv1.3 
released this probably can be reconsidered.  On the other hand, 
enabling TLSv1.3 is known to break at least some configurations, 
see here for an example:

Also, due to different approach to configure ciphers, "ssl_ciphers 
aNULL;" will no longer work as a way to indicate no SSL support 
with TLSv1.3 enabled (

Maxim Dounin

More information about the nginx mailing list