Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#1687 closed defect (wontfix)

Overrides system default minimum TLS version

Reported by: Kurt Roeckx Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a:
nginx -V: https://hg.nginx.org/nginx/rev/7ad0f4ace359

Description

In https://hg.nginx.org/nginx/rev/7ad0f4ace359 SSL_CTX_set_min_proto_version() is unconditionally called with 0, overriding the system defaults. Please do this based on a config file and don't call SSL_CTX_set_min_proto_version() when nothing is specified in the config file.

Change History (4)

comment:1 by Maxim Dounin, 23 months ago

Resolution: wontfix
Status: newclosed

Thank you for your feedback. Allowed SSL protocol versions are configured using the ssl_protocols directive, and the default is explicitly documented.

The change in question was specifically made to mitigate effects of system wide defaults like the one you've added in Debian, as we have multiple complaints from users who cannot understand what goes on, why some protocols do not work, and how to deal with it.

If you want nginx to use different protocols on your OS than on other OSes, consider shipping nginx.conf with appropriate ssl_protocols in it.

comment:2 by Kurt Roeckx, 23 months ago

The point of system wide defaults is so that there actually is 1 place where you can change the behavior of all applications. Overriding that default without the user explicitly overriding it is counter intuitive, and may lead to the user having a false sense of security.

comment:3 by Maxim Dounin, 23 months ago

In theory. In practice, there are number of problems with this approach - in particular, it contradicts the documented nginx default, does not work for other SSL libraries (including other builds of OpenSSL), and users are simply not aware of this system wide default and how to configure it.

comment:4 by Kurt Roeckx, 23 months ago

The nginx documentation currently says you can enable SSLv2 and SSLv3, but those protocols have been compiled out of OpenSSL for a while now. If you enabled them in the nginx config file, they will still not work. So you can argue that the nginx documentation would be wrong in that case too.

Anyway, it would be nice if you could at least add support for the new SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() API in the config file. The SSL_OP_NO_* flags to configure the supported version have been deprecated.

Note: See TracTickets for help on using tickets.