5 comments

[ 0.25 ms ] story [ 12.4 ms ] thread
As other wrote, this might cause problems when TLS 1.3 contains a major vulnerability TLS 1.4 fixes.

In my opinion, the `ssl_protocols` config should accept a string like "TLSv1.2+ -TLSv1.3", basically stating a minimum version, allowing exclusions and including anything newer. In the same spirit, one should be able to do "TLSv1.0-TLSv1.2" for setting a maximum, with specific exclusions if a new TLS version ever becomes a problem.

Why doesn't nginx default to using TLS v1.2 yet? It came out over a decade ago!
It does. https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_...

  Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
So then I don't understand the parent comment. It sounds like if you want TLS v1.2 support, you don't have to do anything special in configuring nginx.
Current defaults are `TLSv1 TLSv1.1 TLSv1.2`. The logic in stating `TLSv1.2` or `TLSv1.3 TLSv1.2` is that you're excluding TLSv1 or TLSv1.1 rather than explicitly including TLSv1.2.