id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1364	proxy_ssl_protocols does not handle hole in version properly, or is it ?	beber29@…		"Hi,

An nginx configured to reverse proxy connection using TLS with not all version of TLS, such as a configuration snippet:

  location / {
    proxy_ssl_protocols TLSv1 TLSv1.2;
    proxy_pass https://example.org;
  }

Then, all TLS handshake coming from nginx are made using the lowest TLS version (here 3.1) instead of the highest (here 3.3).

I am sure this is actually intended, the documentation does not really specify this.

Thanks!"	defect	closed	minor		nginx-core	1.13.x	invalid	proxy ssl		Linux e3 4.9.44-longterm #1 SMP Wed Aug 16 01:02:35 CEST 2017 x86_64 Intel(R) Xeon(R) CPU 5150 @ 2.66GHz GenuineIntel GNU/Linux	"  nginx version: nginx/1.13.4
  built with OpenSSL 1.0.2l  25 May 2017
  TLS SNI support enabled
  configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat --with-file-aio --with-http_v2_module --with-pcre --with-pcre-jit --with-threads --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-http_dav_module --with-http_realip_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/ngx-fancyindex-0.4.1 --add-module=external_module/ngx_http_auth_pam_module-1.5.1 --add-module=external_module/nginx-rtmp-module-1.2.0 --add-module=external_module/nginx-dav-ext-module-0.1.0 --without-http-cache --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx
"