Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#766 closed defect (invalid)

ssl_protocols directive doesn't work in server context

Reported by: openid.yandex.ru/ptashgo Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.8.x
Keywords: Cc:
uname -a: Linux localhost 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0 built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Documentation says that ssl_protocols valid contexts are: http, server but in fact it works only in http

Steps to reproduce:

  • set ssl_protocols to TLSv1 TLSv1.1 TLSv1.2; inside server {}
  • try to connect with sslv3 only option or test host with ssllabs

Change History (3)

comment:1 Changed 4 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

The ssl_protocols directive works fine in both http and server contexts, and you can test it as follows:

    server {
        listen 8000 ssl default_server;
        ssl_protocols SSLv3;
    }
    server {
        listen 8001 ssl default_server;
        ssl_protocols TLSv1;
    }

Note the above example uses servers on distinct ports - this is an important point. The ssl_protocols doesn't allow to change available protocols in virtual servers listening on the same address:port, as protocol have to be selected before nginx will be able to choose a virtual server to use.

Some additional details can be found in the mailing list thread here:

http://mailman.nginx.org/pipermail/nginx/2014-October/045454.html
http://mailman.nginx.org/pipermail/nginx/2014-November/045738.html

comment:2 Changed 4 years ago by openid.yandex.ru/ptashgo

I think it worth be mentioned in documentation, because many people can be sure that everything is fine with their setup, but still vulnerable by POODLE for example

comment:3 Changed 4 years ago by brejoc@…

This has to be mentioned in the documentation. The documentation is not addressing this at all, which is missleading at the least. How should the user know?

Note: See TracTickets for help on using tickets.