Opened 9 years ago

Closed 7 years ago

#108 closed defect (wontfix)

ssl_protocols needs warning if only unsupported protocols are enabled

Reported by: www.google.com/accounts/o8/id?id=AItOawktrozK57elykusSJluTo8wTTdaKdY6VLM Owned by: somebody
Priority: minor Milestone:
Component: nginx-module Version: 1.0.x
Keywords: Cc:
uname -a: OpenBSD some.host.net 5.0 GENERIC#43 i386
nginx -V: nginx version: nginx/1.0.12
built by gcc 4.2.1 20070719
TLS SNI support enabled
configure arguments: --prefix=/usr/opt/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --with-http_ssl_module --with-http_secure_link_module --with-pcre --user=www --group=www

Description

Using "ssl_protocols TLSv1.2;" (and/or TLSv1.1 in any combination) causes nginx to refuse/fail https requests. It does start up without config complaints and it will listen to port 443, but it is not possible to connect over https.

However, using for example "ssl_protocols TLSv1.2 TLSv1;" will work, as "TLSv1" is present, BUT... when probing nginx with for example Qualys SSL server test (https://www.ssllabs.com/ssldb/analyze.html) it is determined that nginx is still only TLSv1.0 capable - neither TLSv1.2 nor TLSv1.1 will be available despite being added in the ssl_protocols list.

Change History (4)

comment:1 by Maxim Dounin, 9 years ago

Which openssl library do you use? Please note that TLSv1.1/TLSv1.2 are only available with OpenSSL 1.0.1 (beta 2 available on www.openssl.org as of now), trying to use them with older openssl versions will silently fail.

comment:2 by www.google.com/accounts/o8/id?id=AItOawktrozK57elykusSJluTo8wTTdaKdY6VLM, 9 years ago

You are right. My bad. I have been building against OpenSSL 0.9.x. The lack of warnings threw me off here. Case closed.

comment:3 by Maxim Dounin, 9 years ago

Priority: majorminor
Status: newaccepted
Summary: TLSv1.2 / v1.1 directive not working properlyssl_protocols needs warning if only unsupported protocols are enabled

Note that there are intentionally no warning if TLSv1.1/TLSv1.2 aren't supported but referred in config. This is done this way to encourage people to always enable these protocols. On the other hand, we probably want to add warning if only protocols not supported by a openssl library nginx was compiled with are enabled. Leaving this as accepted for now with updated summary.

comment:4 by Maxim Dounin, 7 years ago

Resolution: wontfix
sensitive: 0
Status: acceptedclosed

Doesn't seems to be a real problem, closing this.

Note: See TracTickets for help on using tickets.