id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2250 nginx does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0 soukichi@… "nginx v1.21.3 does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0 even it compiled with ""--with-openssl-opt=enable-weak-ssl-ciphers"". using testssl.sh. {{{ $ ./testssl.sh tls.example.net | grep TLS TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final }}} e.g. nginx.conf {{{ # cat /usr/local/nginx/conf/nginx.conf worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } # HTTPS server # server { listen 443 ssl; server_name tls.example.net; ssl_certificate tls.crt; ssl_certificate_key tls.key; ssl_session_cache shared:SSL:1m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_session_timeout 5m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } } } }}} When I compile it with OpenSSL 1.1.1l, nginx will response over TLSv1 and TLSv1.1. compile with openssl 1.1.1l. {{{ # /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.21.3 built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) built with OpenSSL 1.1.1l 24 Aug 2021 TLS SNI support enabled configure arguments: --with-openssl=../openssl-1.1.1l --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module }}} use same nginx.conf {{{ $ ./testssl.sh tls.example.net | grep TLS TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final }}}" defect closed minor nginx-module invalid Linux origin000 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux "# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.21.3 built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) built with OpenSSL 3.0.0 7 sep 2021 TLS SNI support enabled configure arguments: --with-openssl=../openssl-3.0.0 --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module"