mirror of
https://github.com/nginx/nginx.git
synced 2024-11-27 15:39:01 +08:00
SSL: disabled TLSv1 and TLSv1.1 by default.
TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due to insufficient security reasons outlined in RFC 8996. TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1 in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0, they are only permitted at security level 0 (disabled by default). The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari. This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and newer, where TLSv1.2 support is available. For older library versions, which do not have alternatives, these protocol versions remain enabled.
This commit is contained in:
parent
f45c2707ea
commit
ebd18ec181
@ -4477,7 +4477,9 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
||||||
|
@ -3944,7 +3944,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
||||||
|
@ -653,7 +653,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
|
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
|
||||||
|
@ -1879,7 +1879,9 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
|
||||||
|
@ -345,7 +345,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
||||||
|
@ -2164,7 +2164,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
|
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
|
||||||
|
@ -884,7 +884,9 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||||
(NGX_CONF_BITMASK_SET
|
(NGX_CONF_BITMASK_SET
|
||||||
|
#ifndef SSL_OP_NO_TLSv1_2
|
||||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||||
|
#endif
|
||||||
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
|NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
|
||||||
|
|
||||||
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
|
||||||
|
Loading…
Reference in New Issue
Block a user