Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#2352 closed defect (duplicate)

Multiple server sections doesn't respect ssl_protocols

Reported by: SheepRock@… Owned by:
Priority: major Milestone:
Component: nginx-module Version:
Keywords: ssl tls Cc:
uname -a: Linux e03753289d4c 5.3.18-22-default #1 SMP Wed Jun 3 12:16:43 UTC 2020 (720aeba) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.6
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k 25 Mar 2021 (running with OpenSSL 1.1.1n 15 Mar 2022)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.6/debian/debuild-base/nginx-1.21.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

If we have multiple server sections like bellow

http{
...
    server {
        listen         443 ssl;
        server_name    myserver1;        
        ssl_protocols  TLSv1.3;
        ...
    }

    server {
        listen         443 ssl;
        server_name    myserver2;        
        ssl_protocols  TLSv1.2;
        ...
    }
...
}

If a client that doesn't have support to TLSv1.3 tries to connect to myserver2, nginx fails to complete the handshake with a ProtocolVersion error. This bug is present in all nginx versions that supports TLSv1.3, as far as I can see. To fix, both servers sections must have support to TLSv1.2.

What should happen is that nginx should respect the protocol version of the respective server of the current connection. As an alternative, if not possible, nginx should fail to start/load the configuration, and throw an error alerting that all SSL server sections should have the same protocols, and the documentation should be updated accordingly.

Change History (2)

comment:1 by Maxim Dounin, 5 months ago

Resolution: duplicate
Status: newclosed

Duplicate of #676.

comment:2 by SheepRock@…, 5 months ago

Even if this can't be fixed, this should be documented. Current documentation has no mention to it, that I could find.

Note: See TracTickets for help on using tickets.