id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2352 Multiple server sections doesn't respect ssl_protocols SheepRock@… "If we have multiple server sections like bellow {{{ http{ ... server { listen 443 ssl; server_name myserver1; ssl_protocols TLSv1.3; ... } server { listen 443 ssl; server_name myserver2; ssl_protocols TLSv1.2; ... } ... } }}} If a client that doesn't have support to TLSv1.3 tries to connect to `myserver2`, nginx fails to complete the handshake with a `ProtocolVersion` error. This bug is present in all nginx versions that supports TLSv1.3, as far as I can see. To fix, both servers sections must have support to TLSv1.2. What should happen is that nginx should respect the protocol version of the respective server of the current connection. As an alternative, if not possible, nginx should fail to start/load the configuration, and throw an error alerting that all SSL server sections should have the same protocols, and the documentation should be updated accordingly. " defect closed major nginx-module duplicate ssl tls Linux e03753289d4c 5.3.18-22-default #1 SMP Wed Jun 3 12:16:43 UTC 2020 (720aeba) x86_64 GNU/Linux "nginx version: nginx/1.21.6 built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1k 25 Mar 2021 (running with OpenSSL 1.1.1n 15 Mar 2022) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.6/debian/debuild-base/nginx-1.21.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"