#1911 closed enhancement (wontfix)
[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | nginx-1.17 |
Component: | nginx-core | Version: | 1.17.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: |
nginx version: nginx/1.17.8
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1) configure arguments: --prefix=/usr/local |
Description
[Sent to trac as nginx mx server is rejecting my email]
Major browsers are deprecating TLS 1.0 and TLS 1.1.
IETF Draft:
https://www.ietf.org/id/draft-ietf-tls-oldversions-deprecate-05.txt
Attachments (1)
Change History (4)
by , 5 years ago
comment:1 by , 5 years ago
comment:2 by , 5 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
In no particular order:
- The patch proposed is clearly wrong.
- Please see http://nginx.org/en/docs/contributing_changes.html on how to submit patches.
- The draft referenced is a draft, not even an RFC. Further, it is an expired draft.
- TLSv1.0 and TLSv1.1 are still used by various old clients, and this are the only available protocols for these clients. In particular, this includes old Android phones. According to https://caniuse.com/#feat=tls1-2, right now there are about 3% of such clients.
Given the above, disabling TLSv1.0 and TLSv1.1 by default in nginx might not be a good idea. Certainly this is not something we want to be the default right now. Instead, one may consider doing something similar to what Wikipedia is doing now by configuring appropriate redirects based on the $ssl_protocol variable.
comment:3 by , 4 years ago
A minor update on the topic:
- the draft is now RFC 8996
- non-TLS1.2 statistics decreased to 1.58% (at the time of writing).
Note:
See TracTickets
for help on using tickets.
[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020