Opened 5 years ago
Closed 5 years ago
Last modified 4 years ago
#1687 closed defect (wontfix)
Overrides system default minimum TLS version
|Reported by:||Kurt Roeckx||Owned by:|
In https://hg.nginx.org/nginx/rev/7ad0f4ace359 SSL_CTX_set_min_proto_version() is unconditionally called with 0, overriding the system defaults. Please do this based on a config file and don't call SSL_CTX_set_min_proto_version() when nothing is specified in the config file.
Change History (4)
comment:1 by , 5 years ago
|Status:||new → closed|
comment:2 by , 4 years ago
The point of system wide defaults is so that there actually is 1 place where you can change the behavior of all applications. Overriding that default without the user explicitly overriding it is counter intuitive, and may lead to the user having a false sense of security.
comment:3 by , 4 years ago
In theory. In practice, there are number of problems with this approach - in particular, it contradicts the documented nginx default, does not work for other SSL libraries (including other builds of OpenSSL), and users are simply not aware of this system wide default and how to configure it.
comment:4 by , 4 years ago
The nginx documentation currently says you can enable SSLv2 and SSLv3, but those protocols have been compiled out of OpenSSL for a while now. If you enabled them in the nginx config file, they will still not work. So you can argue that the nginx documentation would be wrong in that case too.
Anyway, it would be nice if you could at least add support for the new SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() API in the config file. The SSL_OP_NO_* flags to configure the supported version have been deprecated.
Thank you for your feedback. Allowed SSL protocol versions are configured using the ssl_protocols directive, and the default is explicitly documented.
The change in question was specifically made to mitigate effects of system wide defaults like the one you've added in Debian, as we have multiple complaints from users who cannot understand what goes on, why some protocols do not work, and how to deal with it.
If you want nginx to use different protocols on your OS than on other OSes, consider shipping