Opened 5 years ago

Closed 5 years ago

#920 closed defect (wontfix)

SSLv3 is still enabled by default in Stable

Reported by: dave.qccareerschool.com@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.8.x
Keywords: Cc:
uname -a: Linux sites.qccareerschool.com 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-http_geoip_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=native'

Description

According to the documentation at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols, the default is

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

But line 564 of src/http/modules/ngx_http_ssl_module.c still includes SSLv3 by default

                         (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1

According to https://trac.nginx.org/nginx/ticket/653, this has been fixed, and it is fixed in the Mainline branch. Is it supposed to be fixed for the Stable branch as well? If not, should the documentation reflect that?

Change History (2)

comment:1 by Maxim Dounin, 5 years ago

There are no plans to change this in the stable branch, as it's considered to be an unsafe change for stable. If you are using nginx 1.8.x and want to disable SSLv3, you can easily do it in the configuration.

As for the documentation, detailed information about SSL-related defaults in various nginx versions is available in the article Configuring HTTPS servers.

comment:2 by Maxim Dounin, 5 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.