Opened 5 days ago

Closed 5 days ago

#2305 closed defect (duplicate)

ssl_protocols directive in server { } doesn't work

Reported by: Erictoby@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: ssl_protocols Cc:
uname -a: Linux ericlinux 5.11.0-1025-oracle #27~20.04.1-Ubuntu SMP Fri Jan 7 18:58:08 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
nginx -V: nginx version: nginx/1.20.2
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.20.2/debian/debuild-base/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description (last modified by Erictoby@…)

"ssl_protocols" could be located either in http { } or in server { } in /etc/nginx/nginx.conf. It, however, doesn't work anymore in server { }.

version 1.19.4 : work either in http { } or in server { }
version 1.20.2 : only work in http { }
version 1.21.5 : only work in http { }

Example)

http {
    ssl_protocols TLSv1.1 TLSv1.2;
    server {
        ssl_protocols TLSv1.2 TLSv1.3;
    }
}

==> TLS 1.1 & TLS 1.2 work, but TLS 1.3 doesn't work.

http {
    server {
        ssl_protocols TLSv1.2 TLSv1.3;
    }
}

==> TLS 1.2 work, but TLS 1.3 doesn't work.

http {
    ssl_protocols TLSv1.2 TLSv1.3;
    server {
    }
}

==> TLS 1.2 & TLS 1.3 work;

Change History (3)

comment:1 by Maxim Dounin, 5 days ago

Could you please show exact self-contained configuration which demonstrate the problem? Depending on the exact configuration, most like it is either duplicate of #676 (ssl_protocols cannot be used in name-based virtual servers, configuration from the default server applies) or #2071 (due to a bug OpenSSL disables TLSv1.3 if no certificates are specified in the default server block, fixed in OpenSSL 1.1.1j).

comment:2 by Erictoby@…, 5 days ago

Description: modified (diff)

I was confused because it didn't work since I upgraded nginx to 1.20.2(or 1.21.5-quic in other server) from 1.19.4 with all the *.conf same. But, I found it's already discussed in the ticket #2101, #2071 (thanks Maxim).

ssl_protocols should be in http{} or in server{} with "default_server" since 1.19.6+.

Now, I did quick test again with 1.21.5 with BoringSSL(current version as of today). Result: ssl_protocols in default server{} block works. ssl_protocols in non-default server{} block doesn't work.

If this is the permanent case, updating the documentation may help us. For example, http://nginx.org/en/docs/http/configuring_https_servers.html.

Thanks.

comment:3 by Maxim Dounin, 5 days ago

Resolution: duplicate
Status: newclosed

ssl_protocols should be in http{} or in server{} with "default_server" since 1.19.6+

That's not something "since 1.19.6+", that's how it always worked, regardless of nginx version: things which are set up before the server name is known can be only configured in default servers, and not pure virtual ones. And this equally applies to ssl_protocols in all nginx version. Details are explained in ticket #676 and linked mailing list thread.

If you are seeing a change in 1.19.6, the most likely reason is that the configuration is actually changed and in the default server you are using ssl_reject_handshake without any certificates. This might be something happened silently due to changes in default configuration files provided by the nginx package you are using.

As previously explained, this is a bug in OpenSSL which disables TLSv1.3 if there are no certificates configured. The bug is fixed in OpenSSL 1.1.1j. In the buggy OpenSSL version you are using it can be worked around by using a dummy certificate in the default server.

Closing this as a duplicate of #2071.

Note: See TracTickets for help on using tickets.