As other wrote, this might cause problems when TLS 1.3 contains a major vulnerability TLS 1.4 fixes.
In my opinion, the `ssl_protocols` config should accept a string like "TLSv1.2+ -TLSv1.3", basically stating a minimum version, allowing exclusions and including anything newer. In the same spirit, one should be able to do "TLSv1.0-TLSv1.2" for setting a maximum, with specific exclusions if a new TLS version ever becomes a problem.
So then I don't understand the parent comment. It sounds like if you want TLS v1.2 support, you don't have to do anything special in configuring nginx.
Current defaults are `TLSv1 TLSv1.1 TLSv1.2`. The logic in stating `TLSv1.2` or `TLSv1.3 TLSv1.2` is that you're excluding TLSv1 or TLSv1.1 rather than explicitly including TLSv1.2.
5 comments
[ 0.25 ms ] story [ 12.4 ms ] threadIn my opinion, the `ssl_protocols` config should accept a string like "TLSv1.2+ -TLSv1.3", basically stating a minimum version, allowing exclusions and including anything newer. In the same spirit, one should be able to do "TLSv1.0-TLSv1.2" for setting a maximum, with specific exclusions if a new TLS version ever becomes a problem.