Hello!

On Sun, Nov 29, 2020 at 04:01:07PM +0100, nginx@bartelt.name wrote:

> I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not
> configured to do so. I've observed this behavior on OpenBSD with (nginx
> 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0
> linked against OpenSSL 1.1.1f). I don't know which release of nginx
> introduced this bug.
>
> From nginx.conf:
> ssl_protocols TLSv1.2;
> --> in my understanding, this config statement should only enable TLS
> 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is
> implicitly enabled in addition to TLS 1.2.

As long as "ssl_protocols TLSv1.2;" is the only ssl_protocols in
nginx configuration, TLSv1.3 shouldn't be enabled. Much like when
there are no "ssl_protocols" at all, as TLSv1.3 isn't enabled by
default (for now, at least up to and including nginx 1.19.5).

If you see it enabled, please provide full "nginx -T" output on
the minimal configuration you are able to reproduce the problem
with, along with some tests which demonstrate that TLSv1.3 is
indeed enabled. Full output of "nginx -V" and compilation
details might be also helpful.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx