#2352 closed defect (duplicate)
Multiple server sections doesn't respect ssl_protocols
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | ssl tls | Cc: | |
| uname -a: | Linux e03753289d4c 5.3.18-22-default #1 SMP Wed Jun 3 12:16:43 UTC 2020 (720aeba) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.21.6
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1k 25 Mar 2021 (running with OpenSSL 1.1.1n 15 Mar 2022) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.6/debian/debuild-base/nginx-1.21.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
If we have multiple server sections like bellow
http{
...
server {
listen 443 ssl;
server_name myserver1;
ssl_protocols TLSv1.3;
...
}
server {
listen 443 ssl;
server_name myserver2;
ssl_protocols TLSv1.2;
...
}
...
}
If a client that doesn't have support to TLSv1.3 tries to connect to myserver2, nginx fails to complete the handshake with a ProtocolVersion error. This bug is present in all nginx versions that supports TLSv1.3, as far as I can see. To fix, both servers sections must have support to TLSv1.2.
What should happen is that nginx should respect the protocol version of the respective server of the current connection. As an alternative, if not possible, nginx should fail to start/load the configuration, and throw an error alerting that all SSL server sections should have the same protocols, and the documentation should be updated accordingly.
Change History (2)
comment:1 by , 3 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 by , 3 years ago
Even if this can't be fixed, this should be documented. Current documentation has no mention to it, that I could find.
Duplicate of #676.