See this ticket: https://trac.nginx.org/nginx/ticket/844
On Fri, Jul 2, 2021 at 9:05 AM Alfred Sawaya <[email protected]> wrote: > Sorry, don't bother. > > It is because the default value is inherited from the http block. > > And if the ssl_protocols is not specified in the http block, then the > default value is to enable TLS 1, 1.1 and 1.2 > > > Maybe it would be more natural to no inherit for this directive if it is > specified in an underlying block. > > > Alfred > > > On 02/07/2021 18:00, Alfred Sawaya wrote: > > Hello, > > > > > > I am trying to configure an nginx that can accept only one ssl > > protocols. In order to do that, I tried to set ssl_protocols to only one > > protocol, but it does not work. > > > > The server always accept all TLS versions. > > > > > > I found that in the source code : > > > > src/http/modules/ngx_http_ssl_module.c : 673 > > > > ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, > > (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 > > |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); > > > > > > So nginx seems to always activate TLS 1, 1.1 and 1.2. It should rather > > respect the directive ssl_protocls, shouldn't it ? > > > > Why it is not : > > > > ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, > > (NGX_CONF_BITMASK_SET)); > > > > With a if juste before calling nginx_ssl_create to set conf->protocols > > to NGX_SSL_TLSv1 | NGX_SSL_TLSv1_1 | NGX_SSL_TLSv1_2, only if > > conf->protocols == 0 ? > > > > > > (I also tried to use ssl_conf_command with MinProtocol and MaxProtocol, > > it does not work either...) > > > > > > Thank you, > > > > Alfred > > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
