Opened 2 years ago
Closed 2 years ago
#2305 closed defect (duplicate)
ssl_protocols directive in server { } doesn't work
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.19.x |
| Keywords: | ssl_protocols | Cc: | |
| uname -a: | Linux ericlinux 5.11.0-1025-oracle #27~20.04.1-Ubuntu SMP Fri Jan 7 18:58:08 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.20.2
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.20.2/debian/debuild-base/nginx-1.20.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description (last modified by )
"ssl_protocols" could be located either in http { } or in server { } in /etc/nginx/nginx.conf. It, however, doesn't work anymore in server { }.
version 1.19.4 : work either in http { } or in server { }
version 1.20.2 : only work in http { }
version 1.21.5 : only work in http { }
Example)
http {
ssl_protocols TLSv1.1 TLSv1.2;
server {
ssl_protocols TLSv1.2 TLSv1.3;
}
}
==> TLS 1.1 & TLS 1.2 work, but TLS 1.3 doesn't work.
http {
server {
ssl_protocols TLSv1.2 TLSv1.3;
}
}
==> TLS 1.2 work, but TLS 1.3 doesn't work.
http {
ssl_protocols TLSv1.2 TLSv1.3;
server {
}
}
==> TLS 1.2 & TLS 1.3 work;
Change History (3)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
| Description: | modified (diff) |
|---|
I was confused because it didn't work since I upgraded nginx to 1.20.2(or 1.21.5-quic in other server) from 1.19.4 with all the *.conf same. But, I found it's already discussed in the ticket #2101, #2071 (thanks Maxim).
ssl_protocols should be in http{} or in server{} with "default_server" since 1.19.6+.
Now, I did quick test again with 1.21.5 with BoringSSL(current version as of today). Result: ssl_protocols in default server{} block works. ssl_protocols in non-default server{} block doesn't work.
If this is the permanent case, updating the documentation may help us. For example, http://nginx.org/en/docs/http/configuring_https_servers.html.
Thanks.
comment:3 by , 2 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
ssl_protocols should be in http{} or in server{} with "default_server" since 1.19.6+
That's not something "since 1.19.6+", that's how it always worked, regardless of nginx version: things which are set up before the server name is known can be only configured in default servers, and not pure virtual ones. And this equally applies to ssl_protocols in all nginx version. Details are explained in ticket #676 and linked mailing list thread.
If you are seeing a change in 1.19.6, the most likely reason is that the configuration is actually changed and in the default server you are using ssl_reject_handshake without any certificates. This might be something happened silently due to changes in default configuration files provided by the nginx package you are using.
As previously explained, this is a bug in OpenSSL which disables TLSv1.3 if there are no certificates configured. The bug is fixed in OpenSSL 1.1.1j. In the buggy OpenSSL version you are using it can be worked around by using a dummy certificate in the default server.
Closing this as a duplicate of #2071.
Could you please show exact self-contained configuration which demonstrate the problem? Depending on the exact configuration, most like it is either duplicate of #676 (
ssl_protocolscannot be used in name-based virtual servers, configuration from the default server applies) or #2071 (due to a bug OpenSSL disables TLSv1.3 if no certificates are specified in the default server block, fixed in OpenSSL 1.1.1j).