diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2024-10-09 20:28:00 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2024-10-31 19:49:00 +0400 |
| commit | ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264 (patch) | |
| tree | 9a1e360a7fef33ad986e609f33265150322404f1 /src/stream/ngx_stream_upstream.c | |
| parent | f45c2707ea1bf6fde3bd0c045cc4a63cdc4a966a (diff) | |
| download | nginx-ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264.tar.gz nginx-ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264.zip | |
SSL: disabled TLSv1 and TLSv1.1 by default.
TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due
to insufficient security reasons outlined in RFC 8996.
TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1
in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0,
they are only permitted at security level 0 (disabled by default).
The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.
This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and
newer, where TLSv1.2 support is available. For older library versions,
which do not have alternatives, these protocol versions remain enabled.
Diffstat (limited to 'src/stream/ngx_stream_upstream.c')
0 files changed, 0 insertions, 0 deletions