Opened 8 years ago

Closed 5 weeks ago

#642 closed enhancement (wontfix)

Cannot specify a minimum SSL/TLS version without also specifying a maximum

Reported by: Anders Kaseorg Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.7.x
Keywords: Cc:
uname -a:
nginx -V: 1.7.6

Description

The ssl_protocols directive only lets you specify a whitelist of SSL/TLS versions, not a blacklist. Therefore, if you want to disable a protocol that’s in the default whitelist, you are also implicitly disabling all the protocols that haven’t been invented yet. In particular, all the nginx admins who are paying attention now because SSL 3.0 is broken and getting publicity are inadvertently going to be creating the next generation of TLS 1.3 intolerant servers.

ssl_protocols should support (and encourage) a blacklist syntax, like Apache’s

SSLProtocol all -SSLv2 -SSLv3

Attachments (1)

nginx-ssl_protocols-blacklist.patch (5.9 KB ) - added by Anders Kaseorg 8 years ago.
[PATCH] Allow specifying ssl_protocols as a blacklist (ticket #642).

Download all attachments as: .zip

Change History (3)

by Anders Kaseorg, 8 years ago

[PATCH] Allow specifying ssl_protocols as a blacklist (ticket #642).

comment:1 by Maxim Dounin, 6 years ago

Type: defectenhancement

comment:2 by Maxim Dounin, 5 weeks ago

Resolution: wontfix
Status: newclosed

TLSv1.3 actually demonstrated that not enabling it until all compatibility issues are addressed is a way to go. As such, I would rather refrain from introducing such a way to configure SSL protocols, since it will make it very easy to unintentionally enable new protocols.

Note: See TracTickets for help on using tickets.