Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols don't respected

Alfred Sawaya
July 02, 2021 12:06PM
Sorry, don't bother.

It is because the default value is inherited from the http block.

And if the ssl_protocols is not specified in the http block, then the
default value is to enable TLS 1, 1.1 and 1.2


Maybe it would be more natural to no inherit for this directive if it is
specified in an underlying block.


Alfred


On 02/07/2021 18:00, Alfred Sawaya wrote:
> Hello,
>
>
> I am trying to configure an nginx that can accept only one ssl
> protocols. In order to do that, I tried to set ssl_protocols to only one
> protocol, but it does not work.
>
> The server always accept all TLS versions.
>
>
> I found that in the source code :
>
> src/http/modules/ngx_http_ssl_module.c : 673
>
>     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
>                          (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
>                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
>
>
> So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather
> respect the directive ssl_protocls, shouldn't it ?
>
> Why it is not :
>
> ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
>                          (NGX_CONF_BITMASK_SET));
>
> With a if juste before calling nginx_ssl_create to set conf->protocols
> to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if
> conf->protocols == 0 ?
>
>
> (I also tried to use ssl_conf_command with MinProtocol and MaxProtocol,
> it does not work either...)
>
>
> Thank you,
>
> Alfred
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

ssl_protocols don't respected

Alfred Sawaya 162 July 02, 2021 12:02PM

Re: ssl_protocols don't respected

Alfred Sawaya 32 July 02, 2021 12:06PM

Re: ssl_protocols don't respected

Frank Liu 50 July 03, 2021 12:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 88
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready