Hello! On Sun, Nov 29, 2020 at 04:01:07PM +0100, ng...@bartelt.name wrote:
> I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not > configured to do so. I've observed this behavior on OpenBSD with (nginx > 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0 > linked against OpenSSL 1.1.1f). I don't know which release of nginx > introduced this bug. > > From nginx.conf: > ssl_protocols TLSv1.2; > --> in my understanding, this config statement should only enable TLS > 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is > implicitly enabled in addition to TLS 1.2. As long as "ssl_protocols TLSv1.2;" is the only ssl_protocols in nginx configuration, TLSv1.3 shouldn't be enabled. Much like when there are no "ssl_protocols" at all, as TLSv1.3 isn't enabled by default (for now, at least up to and including nginx 1.19.5). If you see it enabled, please provide full "nginx -T" output on the minimal configuration you are able to reproduce the problem with, along with some tests which demonstrate that TLSv1.3 is indeed enabled. Full output of "nginx -V" and compilation details might be also helpful. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
