From ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Wed, 9 Oct 2024 20:28:00 +0400 Subject: SSL: disabled TLSv1 and TLSv1.1 by default. TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due to insufficient security reasons outlined in RFC 8996. TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1 in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0, they are only permitted at security level 0 (disabled by default). The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari. This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and newer, where TLSv1.2 support is available. For older library versions, which do not have alternatives, these protocol versions remain enabled. --- src/stream/ngx_stream_proxy_module.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/stream/ngx_stream_proxy_module.c') diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c index ed275c009..bbf4f7ec0 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c @@ -2164,7 +2164,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, (NGX_CONF_BITMASK_SET +#ifndef SSL_OP_NO_TLSv1_2 |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1 +#endif |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)); ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT"); -- cgit v1.2.3