nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)

Maxim Dounin mdounin at
Mon Nov 30 15:07:59 UTC 2020


On Sun, Nov 29, 2020 at 04:01:07PM +0100, nginx at wrote:

> I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not 
> configured to do so. I've observed this behavior on OpenBSD with (nginx 
> 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0 
> linked against OpenSSL 1.1.1f). I don't know which release of nginx 
> introduced this bug.
>  From nginx.conf:
> ssl_protocols TLSv1.2;
> --> in my understanding, this config statement should only enable TLS 
> 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is 
> implicitly enabled in addition to TLS 1.2.

As long as "ssl_protocols TLSv1.2;" is the only ssl_protocols in 
nginx configuration, TLSv1.3 shouldn't be enabled.  Much like when 
there are no "ssl_protocols" at all, as TLSv1.3 isn't enabled by 
default (for now, at least up to and including nginx 1.19.5).

If you see it enabled, please provide full "nginx -T" output on 
the minimal configuration you are able to reproduce the problem 
with, along with some tests which demonstrate that TLSv1.3 is 
indeed enabled.  Full output of "nginx -V" and compilation 
details might be also helpful.

Maxim Dounin

More information about the nginx mailing list