Opened 22 months ago

Closed 22 months ago

Last modified 4 months ago

#1911 closed enhancement (wontfix)

[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

Reported by: loganaden@… Owned by:
Priority: minor Milestone: nginx-1.17
Component: nginx-core Version: 1.17.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.17.8
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
configure arguments: --prefix=/usr/local


[Sent to trac as nginx mx server is rejecting my email]
Major browsers are deprecating TLS 1.0 and TLS 1.1.
IETF Draft:

Attachments (1)

patch.tls (1.0 KB ) - added by loganaden@… 22 months ago.
[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

Download all attachments as: .zip

Change History (4)

by loganaden@…, 22 months ago

Attachment: patch.tls added

[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

comment:2 by Maxim Dounin, 22 months ago

Resolution: wontfix
Status: newclosed

In no particular order:

  • The patch proposed is clearly wrong.
  • Please see on how to submit patches.
  • The draft referenced is a draft, not even an RFC. Further, it is an expired draft.
  • TLSv1.0 and TLSv1.1 are still used by various old clients, and this are the only available protocols for these clients. In particular, this includes old Android phones. According to, right now there are about 3% of such clients.

Given the above, disabling TLSv1.0 and TLSv1.1 by default in nginx might not be a good idea. Certainly this is not something we want to be the default right now. Instead, one may consider doing something similar to what Wikipedia is doing now by configuring appropriate redirects based on the $ssl_protocol variable.

comment:3 by Sergey Kandaurov, 4 months ago

A minor update on the topic:

  • the draft is now RFC 8996
  • non-TLS1.2 statistics decreased to 1.58% (at the time of writing).
Note: See TracTickets for help on using tickets.