TLSv1.3 by default?

Maxim Dounin mdounin at mdounin.ru
Wed Nov 28 14:19:29 UTC 2018


Hello!

On Wed, Nov 28, 2018 at 03:07:25AM -0500, Olaf van der Spek wrote:

> Olaf van der Spek Wrote:
> -------------------------------------------------------
> > Maxim Dounin Wrote:
> > -------------------------------------------------------
> > > Hello!
> > > 
> > > On Fri, Nov 23, 2018 at 01:05:55PM -0500, Olaf van der Spek wrote:
> > > 
> > > > What's the recommendation for distros? Should they explicitly
> > enable
> > > > TLSv1.3?
> > > > Ideally they'd just stick to upstream defaults, hence my question
> > > about the
> > > > default.
> > > 
> > > The recommendation for distros is to don't mess with the defaults.
> > 
> > Should they use the 'defaults' from the stock nginx.conf or the
> > defaults from the binary / docs? ;)
> 
> 
> Maxim?

There is no such thing as "defaults from the stock nginx.conf".  
The nginx.conf file can be used to set various configuration 
parameters.

Obviously enough, distributions may need to set something in 
nginx.conf they ship with nginx packages differently from what is 
configured in example configuration as available in nginx sources, 
conf/nginx.conf.  Though my recommendation would be to keep 
configuration shipped as close to conf/nginx.conf as possible, and 
don't diverge from it unless there are good reasons to.

As for TLSv1.3, the TLSv1.3 protocol is currently disabled by 
default in nginx.  Distributions shouldn't try to enable it 
(either way) unless there are very good reasons to do so.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list