Opened 13 years ago
Closed 11 years ago
#108 closed defect (wontfix)
ssl_protocols needs warning if only unsupported protocols are enabled
| Reported by: | www.google.com/accounts/o8/id?id=AItOawktrozK57elykusSJluTo8wTTdaKdY6VLM | Owned by: | somebody |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.0.x |
| Keywords: | Cc: | ||
| uname -a: | OpenBSD some.host.net 5.0 GENERIC#43 i386 | ||
| nginx -V: |
nginx version: nginx/1.0.12
built by gcc 4.2.1 20070719 TLS SNI support enabled configure arguments: --prefix=/usr/opt/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --with-http_ssl_module --with-http_secure_link_module --with-pcre --user=www --group=www |
||
Description
Using "ssl_protocols TLSv1.2;" (and/or TLSv1.1 in any combination) causes nginx to refuse/fail https requests. It does start up without config complaints and it will listen to port 443, but it is not possible to connect over https.
However, using for example "ssl_protocols TLSv1.2 TLSv1;" will work, as "TLSv1" is present, BUT... when probing nginx with for example Qualys SSL server test (https://www.ssllabs.com/ssldb/analyze.html) it is determined that nginx is still only TLSv1.0 capable - neither TLSv1.2 nor TLSv1.1 will be available despite being added in the ssl_protocols list.
Change History (4)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
You are right. My bad. I have been building against OpenSSL 0.9.x. The lack of warnings threw me off here. Case closed.
comment:3 by , 13 years ago
| Priority: | major → minor |
|---|---|
| Status: | new → accepted |
| Summary: | TLSv1.2 / v1.1 directive not working properly → ssl_protocols needs warning if only unsupported protocols are enabled |
Note that there are intentionally no warning if TLSv1.1/TLSv1.2 aren't supported but referred in config. This is done this way to encourage people to always enable these protocols. On the other hand, we probably want to add warning if only protocols not supported by a openssl library nginx was compiled with are enabled. Leaving this as accepted for now with updated summary.
comment:4 by , 11 years ago
| Resolution: | → wontfix |
|---|---|
| sensitive: | → 0 |
| Status: | accepted → closed |
Doesn't seems to be a real problem, closing this.
Which openssl library do you use? Please note that TLSv1.1/TLSv1.2 are only available with OpenSSL 1.0.1 (beta 2 available on www.openssl.org as of now), trying to use them with older openssl versions will silently fail.