git.feebdaed.xyz Git - 0xmirror/nginx.git/commit

author	Sergey Kandaurov <pluknet@nginx.com>
	Wed, 9 Oct 2024 16:28:00 +0000 (20:28 +0400)
committer	pluknet <pluknet@nginx.com>
	Thu, 31 Oct 2024 15:49:00 +0000 (19:49 +0400)
commit	ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264
tree	9a1e360a7fef33ad986e609f33265150322404f1	tree \| snapshot
parent	f45c2707ea1bf6fde3bd0c045cc4a63cdc4a966a	commit \| diff

SSL: disabled TLSv1 and TLSv1.1 by default.

TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due
to insufficient security reasons outlined in RFC 8996.

TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1
in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0,
they are only permitted at security level 0 (disabled by default).

The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.

This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and
newer, where TLSv1.2 support is available. For older library versions,
which do not have alternatives, these protocol versions remain enabled.

src/http/modules/ngx_http_grpc_module.c		diff \| blob \| history
src/http/modules/ngx_http_proxy_module.c		diff \| blob \| history
src/http/modules/ngx_http_ssl_module.c		diff \| blob \| history
src/http/modules/ngx_http_uwsgi_module.c		diff \| blob \| history
src/mail/ngx_mail_ssl_module.c		diff \| blob \| history
src/stream/ngx_stream_proxy_module.c		diff \| blob \| history
src/stream/ngx_stream_ssl_module.c		diff \| blob \| history