SSL: disabled TLSv1 and TLSv1.1 by default. · nginx/nginx@ebd18ec (original) (raw)

Commit

Permalink

SSL: disabled TLSv1 and TLSv1.1 by default.

Browse files

Browse the repository at this point in the history

TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due to insufficient security reasons outlined in RFC 8996.

TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1 in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0, they are only permitted at security level 0 (disabled by default).

The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.

This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and newer, where TLSv1.2 support is available. For older library versions, which do not have alternatives, these protocol versions remain enabled.

• Loading branch information