nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)

nginx at nginx at
Sun Nov 29 15:01:07 UTC 2020


I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not 
configured to do so. I've observed this behavior on OpenBSD with (nginx 
1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0 
linked against OpenSSL 1.1.1f). I don't know which release of nginx 
introduced this bug.

 From nginx.conf:
ssl_protocols TLSv1.2;
--> in my understanding, this config statement should only enable TLS 
1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is 
implicitly enabled in addition to TLS 1.2.

Best regards

# nginx -V
nginx version: nginx/1.18.0
built with LibreSSL 3.2.2 (running with LibreSSL 3.3.0)

More information about the nginx mailing list