nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)
nginx at bartelt.name
nginx at bartelt.name
Sun Nov 29 15:01:07 UTC 2020
Hello,
I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not
configured to do so. I've observed this behavior on OpenBSD with (nginx
1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0
linked against OpenSSL 1.1.1f). I don't know which release of nginx
introduced this bug.
From nginx.conf:
ssl_protocols TLSv1.2;
--> in my understanding, this config statement should only enable TLS
1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is
implicitly enabled in addition to TLS 1.2.
Best regards
Andreas
# nginx -V
nginx version: nginx/1.18.0
built with LibreSSL 3.2.2 (running with LibreSSL 3.3.0)
More information about the nginx
mailing list