Hello All,

I found some strange behavior while troubleshooting a connectivity issue today. Below was the scenario.

* Upstream Backend configured to allow TLSv1.1 and TLSv1.2
* Client (nginx) configured with proxy_ssl_protocols TLSv1 TLSv1.2

No matter the ordering of nginx proxy_ssl_protocols TLSv1 was always attempted first and the handshake would fail. Once I added TLSv1.1 it caused TLSv1.2 to be attempted first which would be successful to the Server.

Is this a bug? I always assumed that nginx would default to highest supported protocol outbound; but it seems that "TLSv1 TLSv1.2" might introduce some sort of strange ordering issue.

We're using openresty 1.11.2.1.1 which internally uses nginx 1.11.2.