Opened 8 years ago
Closed 8 years ago
#920 closed defect (wontfix)
SSLv3 is still enabled by default in Stable
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.8.x |
| Keywords: | Cc: | ||
| uname -a: | Linux sites.qccareerschool.com 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.8.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-http_geoip_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=native' |
||
Description
According to the documentation at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols, the default is
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
But line 564 of src/http/modules/ngx_http_ssl_module.c still includes SSLv3 by default
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
According to https://trac.nginx.org/nginx/ticket/653, this has been fixed, and it is fixed in the Mainline branch. Is it supposed to be fixed for the Stable branch as well? If not, should the documentation reflect that?
Change History (2)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
There are no plans to change this in the stable branch, as it's considered to be an unsafe change for stable. If you are using nginx 1.8.x and want to disable SSLv3, you can easily do it in the configuration.
As for the documentation, detailed information about SSL-related defaults in various nginx versions is available in the article Configuring HTTPS servers.