Opened 7 years ago
Closed 7 years ago
#1364 closed defect (invalid)
proxy_ssl_protocols does not handle hole in version properly, or is it ?
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.13.x |
| Keywords: | proxy ssl | Cc: | |
| uname -a: | Linux e3 4.9.44-longterm #1 SMP Wed Aug 16 01:02:35 CEST 2017 x86_64 Intel(R) Xeon(R) CPU 5150 @ 2.66GHz GenuineIntel GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.13.4
built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat --with-file-aio --with-http_v2_module --with-pcre --with-pcre-jit --with-threads --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-http_dav_module --with-http_realip_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/ngx-fancyindex-0.4.1 --add-module=external_module/ngx_http_auth_pam_module-1.5.1 --add-module=external_module/nginx-rtmp-module-1.2.0 --add-module=external_module/nginx-dav-ext-module-0.1.0 --without-http-cache --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx |
||
Description
Hi,
An nginx configured to reverse proxy connection using TLS with not all version of TLS, such as a configuration snippet:
location / {
proxy_ssl_protocols TLSv1 TLSv1.2;
proxy_pass https://example.org;
}
Then, all TLS handshake coming from nginx are made using the lowest TLS version (here 3.1) instead of the highest (here 3.3).
I am sure this is actually intended, the documentation does not really specify this.
Thanks!
Note:
See TracTickets
for help on using tickets.
You are likely confused with record layer version number.
The proxy_ssl_protocols directive enables a set of supported protocols used to communicate with an upstream server, and, when in particular built with OpenSSL library, the maximum supported version number set is sent in ClientHello in accordance with RFC. The record layer version number is not something used for version negotiation and usually contains stub for those older SSL/TLS servers not implementing version negotiation correctly.
Please see Appendix E of the TLS1.2 RFC for related discussion.
See examples below.