Re: nginx 1.18.0 implicitly enables TLS 1.3 (with only "ssl_protocols TLSv1.2; " in nginx.conf config)

Mon, 30 Nov 2020 02:52:55 -0800 

Thanks for your reply.
I've recompiled nginx on OpenBSD in order to get rid of the LibreSSL version mismatch which is gone now: 
# nginx -V
nginx version: nginx/1.18.0
built with LibreSSL 3.3.0
Unfortunately, this didn't solve the problem, i.e., TLS 1.3 is still enabled on my OpenBSD/nginx setup with the same nginx.conf.
As I've previously indicated, I've also observed the same problem on a fully patched Ubuntu 20.04 system with nginx 1.18.0/OpenSSL 1.1.1f -- I'm not sure if this was a misunderstanding since you wrote in past tense regarding problems with Ubuntu's repos. Did you also check if TLS 1.3 is enabled with "ssl_protocols TLSv1.2;" in nginx.conf but got different results? 

Best regards
Andreas

On 11/29/20 5:23 PM, Thomas Ward wrote:

We had this problem in Ubuntu's repos until we rebuilt against newer OpenSSL 
and the TLS 1.3 variables were exposed to NGINX at build time - then you could 
turn it off in ssl_protocols by not specifying TLSv1.3.However, your case 
indicates that you are linked (compiled) against older LibreSSL than you are 
running.  NGINX can't know what newer items are available without a recompile.  
This applies to OpenSSL as well.  Its not just what version of the SSL 
libraries you are running - its what version of the libs you compiled with as 
well.Sent from my Sprint Samsung Galaxy Note10+.
-------- Original message --------From: ng...@bartelt.name Date: 11/29/20  10:01  
(GMT-05:00) To: nginx@nginx.org Subject: nginx 1.18.0 implicitly enables TLS 1.3 
(with only "ssl_protocols
   TLSv1.2; " in nginx.conf config) Hello,I've noticed that nginx 1.18.0 always 
enables TLS 1.3 even if not configured to do so. I've observed this behavior on OpenBSD 
with (nginx 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0 
linked against OpenSSL 1.1.1f). I don't know which release of nginx introduced this 
bug. From nginx.conf:ssl_protocols TLSv1.2;--> in my understanding, this config 
statement should only enable TLS 1.2 but not TLS 1.3. However, the observed behavior is 
that TLS 1.3 is implicitly enabled in addition to TLS 1.2.Best regardsAndreas# nginx 
-Vnginx version: nginx/1.18.0built with LibreSSL 3.2.2 (running with LibreSSL 
3.3.0)_______________________________________________nginx mailing 
listnginx@nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to