Hello, Do we have any advanced admins of the Nginx web server? I'm doing some configuration changes on a spare Nginx web server to evaluate them before putting them on the main server. I've got a question on the ssl_protocols configuration option. I'm wanting to support only TLSv1.3 and TLSv1.2 I've seen configurations written in both of the following ways: ssl_protocols TLSv1.3 TLSv1.2; or: ssl_protocols TLSv1.2 TLSv1.3; Question, which is correct? Thanks. Dave. -- Sent from Mozilla Thunderbird 91.13.1
Hi. From what I have read over the years the order doesn't matter for this directive and it will use the highest SSL protocol version supported by both ends of the connection. I manage the configuration of Nginx on this server via the Certbott module and it has set the directive: ssl_protocols TLSv1.2 TLSv1.3; I get an A+ on Qualys SSL check. Andrew. -----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Thursday, May 9, 2024 7:29 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Nginx SSL question Hello, Do we have any advanced admins of the Nginx web server? I'm doing some configuration changes on a spare Nginx web server to evaluate them before putting them on the main server. I've got a question on the ssl_protocols configuration option. I'm wanting to support only TLSv1.3 and TLSv1.2 I've seen configurations written in both of the following ways: ssl_protocols TLSv1.3 TLSv1.2; or: ssl_protocols TLSv1.2 TLSv1.3; Question, which is correct? Thanks. Dave. -- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
On 9/5/24 14:29, David Mehler via Blind-sysadmins wrote:
I'm doing some configuration changes on a spare Nginx web server to evaluate them before putting them on the main server. I've got a question on the ssl_protocols configuration option. I'm wanting to support only TLSv1.3 and TLSv1.2 I've seen configurations written in both of the following ways:
ssl_protocols TLSv1.3 TLSv1.2;
or:
ssl_protocols TLSv1.2 TLSv1.3;
I checked my configuration, and I'm using the latter syntax. What I don't know is whether the priority order of the TLS version negotiation is affected. Can you test it? For example, run openssl to create a client connection, and check the output that shows the TLS negotiation.
participants (3)
-
Andrew Hodgson -
David Mehler -
Jason J.G. White