nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)
mdounin at mdounin.ru
Mon Nov 30 15:07:59 UTC 2020
On Sun, Nov 29, 2020 at 04:01:07PM +0100, nginx at bartelt.name wrote:
> I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not
> configured to do so. I've observed this behavior on OpenBSD with (nginx
> 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0
> linked against OpenSSL 1.1.1f). I don't know which release of nginx
> introduced this bug.
> From nginx.conf:
> ssl_protocols TLSv1.2;
> --> in my understanding, this config statement should only enable TLS
> 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is
> implicitly enabled in addition to TLS 1.2.
As long as "ssl_protocols TLSv1.2;" is the only ssl_protocols in
nginx configuration, TLSv1.3 shouldn't be enabled. Much like when
there are no "ssl_protocols" at all, as TLSv1.3 isn't enabled by
default (for now, at least up to and including nginx 1.19.5).
If you see it enabled, please provide full "nginx -T" output on
the minimal configuration you are able to reproduce the problem
with, along with some tests which demonstrate that TLSv1.3 is
indeed enabled. Full output of "nginx -V" and compilation
details might be also helpful.
More information about the nginx