Opened 6 months ago

Closed 6 months ago

#1911 closed enhancement (wontfix)

[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

Reported by: loganaden@… Owned by:
Priority: minor Milestone: nginx-1.17
Component: nginx-core Version: 1.17.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.17.8
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
configure arguments: --prefix=/usr/local

Description

[Sent to trac as nginx mx server is rejecting my email]
Major browsers are deprecating TLS 1.0 and TLS 1.1.
IETF Draft:
https://www.ietf.org/id/draft-ietf-tls-oldversions-deprecate-05.txt

Attachments (1)

patch.tls (1.0 KB ) - added by loganaden@… 6 months ago.
[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

Download all attachments as: .zip

Change History (3)

by loganaden@…, 6 months ago

Attachment: patch.tls added

[PATCH] Deprecate TLS 1.0 and TLS 1.1 for March 2020

comment:2 by Maxim Dounin, 6 months ago

Resolution: wontfix
Status: newclosed

In no particular order:

  • The patch proposed is clearly wrong.
  • Please see http://nginx.org/en/docs/contributing_changes.html on how to submit patches.
  • The draft referenced is a draft, not even an RFC. Further, it is an expired draft.
  • TLSv1.0 and TLSv1.1 are still used by various old clients, and this are the only available protocols for these clients. In particular, this includes old Android phones. According to https://caniuse.com/#feat=tls1-2, right now there are about 3% of such clients.

Given the above, disabling TLSv1.0 and TLSv1.1 by default in nginx might not be a good idea. Certainly this is not something we want to be the default right now. Instead, one may consider doing something similar to what Wikipedia is doing now by configuring appropriate redirects based on the $ssl_protocol variable.

Note: See TracTickets for help on using tickets.