Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#1687 closed defect (wontfix)

Overrides system default minimum TLS version

Reported by: kroeckx@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a:
nginx -V:


In SSL_CTX_set_min_proto_version() is unconditionally called with 0, overriding the system defaults. Please do this based on a config file and don't call SSL_CTX_set_min_proto_version() when nothing is specified in the config file.

Change History (4)

comment:1 Changed 11 months ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

Thank you for your feedback. Allowed SSL protocol versions are configured using the ssl_protocols directive, and the default is explicitly documented.

The change in question was specifically made to mitigate effects of system wide defaults like the one you've added in Debian, as we have multiple complaints from users who cannot understand what goes on, why some protocols do not work, and how to deal with it.

If you want nginx to use different protocols on your OS than on other OSes, consider shipping nginx.conf with appropriate ssl_protocols in it.

comment:2 Changed 11 months ago by kroeckx@…

The point of system wide defaults is so that there actually is 1 place where you can change the behavior of all applications. Overriding that default without the user explicitly overriding it is counter intuitive, and may lead to the user having a false sense of security.

comment:3 Changed 11 months ago by mdounin

In theory. In practice, there are number of problems with this approach - in particular, it contradicts the documented nginx default, does not work for other SSL libraries (including other builds of OpenSSL), and users are simply not aware of this system wide default and how to configure it.

comment:4 Changed 11 months ago by kroeckx@…

The nginx documentation currently says you can enable SSLv2 and SSLv3, but those protocols have been compiled out of OpenSSL for a while now. If you enabled them in the nginx config file, they will still not work. So you can argue that the nginx documentation would be wrong in that case too.

Anyway, it would be nice if you could at least add support for the new SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() API in the config file. The SSL_OP_NO_* flags to configure the supported version have been deprecated.

Note: See TracTickets for help on using tickets.