Welcome! Log In Create A New Profile

Advanced

Re: ssl_protocols don't respected

Frank Liu
July 03, 2021 12:48AM
See this ticket: https://trac.nginx.org/nginx/ticket/844

On Fri, Jul 2, 2021 at 9:05 AM Alfred Sawaya <alfred@huji.fr> wrote:

> Sorry, don't bother.
>
> It is because the default value is inherited from the http block.
>
> And if the ssl_protocols is not specified in the http block, then the
> default value is to enable TLS 1, 1.1 and 1.2
>
>
> Maybe it would be more natural to no inherit for this directive if it is
> specified in an underlying block.
>
>
> Alfred
>
>
> On 02/07/2021 18:00, Alfred Sawaya wrote:
> > Hello,
> >
> >
> > I am trying to configure an nginx that can accept only one ssl
> > protocols. In order to do that, I tried to set ssl_protocols to only one
> > protocol, but it does not work.
> >
> > The server always accept all TLS versions.
> >
> >
> > I found that in the source code :
> >
> > src/http/modules/ngx_http_ssl_module.c : 673
> >
> > ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
> > (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
> > |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
> >
> >
> > So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather
> > respect the directive ssl_protocls, shouldn't it ?
> >
> > Why it is not :
> >
> > ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
> > (NGX_CONF_BITMASK_SET));
> >
> > With a if juste before calling nginx_ssl_create to set conf->protocols
> > to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if
> > conf->protocols == 0 ?
> >
> >
> > (I also tried to use ssl_conf_command with MinProtocol and MaxProtocol,
> > it does not work either...)
> >
> >
> > Thank you,
> >
> > Alfred
> >
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

ssl_protocols don't respected

Alfred Sawaya 161 July 02, 2021 12:02PM

Re: ssl_protocols don't respected

Alfred Sawaya 32 July 02, 2021 12:06PM

Re: ssl_protocols don't respected

Frank Liu 49 July 03, 2021 12:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 84
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready