Anonymous User
October 31, 2024 11:52AM
details: https://github.com/nginx/nginx/commit/ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264
branches: master
commit: ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264
user: Sergey Kandaurov <pluknet@nginx.com>
date: Wed, 9 Oct 2024 20:28:00 +0400
description:
SSL: disabled TLSv1 and TLSv1.1 by default.

TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due
to insufficient security reasons outlined in RFC 8996.

TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1
in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0,
they are only permitted at security level 0 (disabled by default).

The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.

This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and
newer, where TLSv1.2 support is available. For older library versions,
which do not have alternatives, these protocol versions remain enabled.

---
src/http/modules/ngx_http_grpc_module.c | 2 ++
src/http/modules/ngx_http_proxy_module.c | 2 ++
src/http/modules/ngx_http_ssl_module.c | 2 ++
src/http/modules/ngx_http_uwsgi_module.c | 2 ++
src/mail/ngx_mail_ssl_module.c | 2 ++
src/stream/ngx_stream_proxy_module.c | 2 ++
src/stream/ngx_stream_ssl_module.c | 2 ++
7 files changed, 14 insertions(+)

diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index e7726f314..d9456843d 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4477,7 +4477,9 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index f9a373744..fe1952748 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3944,7 +3944,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index abc8d49ab..1fb1e6129 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -653,7 +653,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index c965d4bbd..f2a8dbe6a 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1879,7 +1879,9 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index b547dc101..2fee1adb8 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -345,7 +345,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index ed275c009..bbf4f7ec0 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2164,7 +2164,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 0233a9258..55bc54a44 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -884,7 +884,9 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET
+#ifndef SSL_OP_NO_TLSv1_2
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+#endif
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));

ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: disabled TLSv1 and TLSv1.1 by default.

Anonymous User 157 October 31, 2024 11:52AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 249
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready