Opened 7 years ago

Closed 7 years ago

#1364 closed defect (invalid)

proxy_ssl_protocols does not handle hole in version properly, or is it ?

Reported by: beber29@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.13.x
Keywords: proxy ssl Cc:
uname -a: Linux e3 4.9.44-longterm #1 SMP Wed Aug 16 01:02:35 CEST 2017 x86_64 Intel(R) Xeon(R) CPU 5150 @ 2.66GHz GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.13.4
built with OpenSSL 1.0.2l 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/ --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat --with-file-aio --with-http_v2_module --with-pcre --with-pcre-jit --with-threads --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-http_dav_module --with-http_realip_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/ngx-fancyindex-0.4.1 --add-module=external_module/ngx_http_auth_pam_module-1.5.1 --add-module=external_module/nginx-rtmp-module-1.2.0 --add-module=external_module/nginx-dav-ext-module-0.1.0 --without-http-cache --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx



An nginx configured to reverse proxy connection using TLS with not all version of TLS, such as a configuration snippet:

location / {

proxy_ssl_protocols TLSv1 TLSv1.2;


Then, all TLS handshake coming from nginx are made using the lowest TLS version (here 3.1) instead of the highest (here 3.3).

I am sure this is actually intended, the documentation does not really specify this.


Change History (1)

comment:1 by Sergey Kandaurov, 7 years ago

Resolution: invalid
Status: newclosed

You are likely confused with record layer version number.

The proxy_ssl_protocols directive enables a set of supported protocols used to communicate with an upstream server, and, when in particular built with OpenSSL library, the maximum supported version number set is sent in ClientHello in accordance with RFC. The record layer version number is not something used for version negotiation and usually contains stub for those older SSL/TLS servers not implementing version negotiation correctly.
Please see Appendix E of the TLS1.2 RFC for related discussion.

See examples below.

  • if the directive contains TLSv1.1 TLSv1.2, it would send 0301 in the record layer and 0303 in ClientHello;
  • if the directive contains TLSv1 TLSv1.1, it would send 0301 in the record layer and 0302 in ClientHello.
Note: See TracTickets for help on using tickets.