# HG changeset patch
# User Yaroslav Zhuravlev <yar@nginx.com>
# Date 1432813724 -10800
# Node ID 3687cc9a3592ea614912f83a08c39e52c9cbaf1e
# Parent  fa144d919ef963eb215faa627c20924c6b370275
Removed SSLv3 from the default value of ssl_protocols and friends.

diff --git a/xml/en/docs/http/configuring_https_servers.xml b/xml/en/docs/http/configuring_https_servers.xml
--- a/xml/en/docs/http/configuring_https_servers.xml
+++ b/xml/en/docs/http/configuring_https_servers.xml
@@ -8,7 +8,7 @@
 <article name="Configuring HTTPS servers"
          link="/en/docs/http/configuring_https_servers.html"
          lang="en"
-         rev="7"
+         rev="8"
          author="Igor Sysoev"
          editor="Brian Mercer">
 
@@ -55,12 +55,12 @@ The directives <link doc="ngx_http_ssl_m
 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/>
 can be used to limit connections
 to include only the strong versions and ciphers of SSL/TLS.
-Since version 1.0.5, nginx uses
-“<literal>ssl_protocols SSLv3 TLSv1</literal>”
-and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default,
-so configuring them explicitly only makes sense for the earlier nginx versions.
-Since versions 1.1.13 and 1.0.12, nginx uses
-“<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>” by default.
+By default nginx uses
+“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>”
+and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
+so configuring them explicitly is generally not needed.
+Note that default values of these directives were
+<link id="compatibility">changed</link> several times.
 </para>
 
 <para>
@@ -470,6 +470,11 @@ The shared SSL session cache has been su
 <list type="bullet">
 
 <listitem>
+Version 1.9.1 and later: the default SSL protocols are TLSv1,
+TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
+</listitem>
+
+<listitem>
 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1,
 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
 </listitem>
diff --git a/xml/en/docs/http/ngx_http_proxy_module.xml b/xml/en/docs/http/ngx_http_proxy_module.xml
--- a/xml/en/docs/http/ngx_http_proxy_module.xml
+++ b/xml/en/docs/http/ngx_http_proxy_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_proxy_module"
         link="/en/docs/http/ngx_http_proxy_module.html"
         lang="en"
-        rev="37">
+        rev="38">
 
 <section id="summary">
 
@@ -1778,7 +1778,7 @@ appear in the logs, try disabling sessio
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
diff --git a/xml/en/docs/http/ngx_http_ssl_module.xml b/xml/en/docs/http/ngx_http_ssl_module.xml
--- a/xml/en/docs/http/ngx_http_ssl_module.xml
+++ b/xml/en/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_ssl_module"
         link="/en/docs/http/ngx_http_ssl_module.html"
         lang="en"
-        rev="18">
+        rev="19">
 
 <section id="summary">
 
@@ -352,7 +352,7 @@ ciphers when using the SSLv3 and TLS pro
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 
diff --git a/xml/en/docs/http/ngx_http_uwsgi_module.xml b/xml/en/docs/http/ngx_http_uwsgi_module.xml
--- a/xml/en/docs/http/ngx_http_uwsgi_module.xml
+++ b/xml/en/docs/http/ngx_http_uwsgi_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_uwsgi_module"
         link="/en/docs/http/ngx_http_uwsgi_module.html"
         lang="en"
-        rev="20">
+        rev="21">
 
 <section id="summary">
 
@@ -1273,7 +1273,7 @@ Passphrases are tried in turn when loadi
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
diff --git a/xml/en/docs/mail/ngx_mail_ssl_module.xml b/xml/en/docs/mail/ngx_mail_ssl_module.xml
--- a/xml/en/docs/mail/ngx_mail_ssl_module.xml
+++ b/xml/en/docs/mail/ngx_mail_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_mail_ssl_module"
         link="/en/docs/mail/ngx_mail_ssl_module.html"
         lang="en"
-        rev="6">
+        rev="7">
 
 <section id="summary">
 
@@ -245,7 +245,7 @@ when the SSLv3 and TLS protocols are use
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>mail</context>
 <context>server</context>
 
diff --git a/xml/en/docs/stream/ngx_stream_proxy_module.xml b/xml/en/docs/stream/ngx_stream_proxy_module.xml
--- a/xml/en/docs/stream/ngx_stream_proxy_module.xml
+++ b/xml/en/docs/stream/ngx_stream_proxy_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_proxy_module"
         link="/en/docs/stream/ngx_stream_proxy_module.html"
         lang="en"
-        rev="4">
+        rev="5">
 
 <section id="summary">
 
@@ -306,7 +306,7 @@ appear in the logs, try disabling sessio
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>stream</context>
 <context>server</context>
 
diff --git a/xml/en/docs/stream/ngx_stream_ssl_module.xml b/xml/en/docs/stream/ngx_stream_ssl_module.xml
--- a/xml/en/docs/stream/ngx_stream_ssl_module.xml
+++ b/xml/en/docs/stream/ngx_stream_ssl_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_ssl_module"
         link="/en/docs/stream/ngx_stream_ssl_module.html"
         lang="en"
-        rev="3">
+        rev="4">
 
 <section id="summary">
 
@@ -189,7 +189,7 @@ when the SSLv3 and TLS protocols are use
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>stream</context>
 <context>server</context>
 
diff --git a/xml/ru/docs/http/configuring_https_servers.xml b/xml/ru/docs/http/configuring_https_servers.xml
--- a/xml/ru/docs/http/configuring_https_servers.xml
+++ b/xml/ru/docs/http/configuring_https_servers.xml
@@ -8,7 +8,7 @@
 <article name="Настройка HTTPS-серверов"
          link="/ru/docs/http/configuring_https_servers.html"
          lang="ru"
-         rev="7"
+         rev="8"
          author="Игорь Сысоев"
          editor="Brian Mercer">
 
@@ -55,12 +55,12 @@ server {
 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/>
 можно ограничить соединения
 использованием только “сильных” версий и шифров SSL/TLS.
-Начиная с версии 1.0.5 nginx по умолчанию использует
-“<literal>ssl_protocols SSLv3 TLSv1</literal>” и
+По умолчанию nginx использует
+“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” и
 “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
-поэтому явная их настройка имеет смысл только для более ранних версий nginx.
-Начиная с версий 1.1.13 и 1.0.12 nginx по умолчанию использует
-“<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>”.
+поэтому их явная настройка в общем случае не требуется.
+Следует отметить, что значения по умолчанию этих директив несколько раз
+<link id="compatibility">менялись</link>.
 </para>
 
 <para>
@@ -470,6 +470,11 @@ SNI поддерживается начиная с версии 0.5.32.
 <list type="bullet">
 
 <listitem>
+Версия 1.9.1 и более поздние: протоколами SSL по умолчанию являются
+TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL).
+</listitem>
+
+<listitem>
 Версия 0.7.65, 0.8.19 и более поздние: протоколами SSL по умолчанию являются
 SSLv3, TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL).
 </listitem>
diff --git a/xml/ru/docs/http/ngx_http_proxy_module.xml b/xml/ru/docs/http/ngx_http_proxy_module.xml
--- a/xml/ru/docs/http/ngx_http_proxy_module.xml
+++ b/xml/ru/docs/http/ngx_http_proxy_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_proxy_module"
         link="/ru/docs/http/ngx_http_proxy_module.html"
         lang="ru"
-        rev="37">
+        rev="38">
 
 <section id="summary">
 
@@ -1775,7 +1775,7 @@ Server Name Indication протокола TLS</link> (SNI, RFC 6066)
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
diff --git a/xml/ru/docs/http/ngx_http_ssl_module.xml b/xml/ru/docs/http/ngx_http_ssl_module.xml
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml
+++ b/xml/ru/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_ssl_module"
         link="/ru/docs/http/ngx_http_ssl_module.html"
         lang="ru"
-        rev="18">
+        rev="19">
 
 <section id="summary">
 
@@ -352,7 +352,7 @@ http {
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 
diff --git a/xml/ru/docs/http/ngx_http_uwsgi_module.xml b/xml/ru/docs/http/ngx_http_uwsgi_module.xml
--- a/xml/ru/docs/http/ngx_http_uwsgi_module.xml
+++ b/xml/ru/docs/http/ngx_http_uwsgi_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_uwsgi_module"
         link="/ru/docs/http/ngx_http_uwsgi_module.html"
         lang="ru"
-        rev="20">
+        rev="21">
 
 <section id="summary">
 
@@ -1264,7 +1264,7 @@ uwsgi-сервер.
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>http</context>
 <context>server</context>
 <context>location</context>
diff --git a/xml/ru/docs/mail/ngx_mail_ssl_module.xml b/xml/ru/docs/mail/ngx_mail_ssl_module.xml
--- a/xml/ru/docs/mail/ngx_mail_ssl_module.xml
+++ b/xml/ru/docs/mail/ngx_mail_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_mail_ssl_module"
         link="/ru/docs/mail/ngx_mail_ssl_module.html"
         lang="ru"
-        rev="6">
+        rev="7">
 
 <section id="summary">
 
@@ -245,7 +245,7 @@ mail {
     [<literal>TLSv1</literal>]
     [<literal>TLSv1.1</literal>]
     [<literal>TLSv1.2</literal>]</syntax>
-<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
+<default>TLSv1 TLSv1.1 TLSv1.2</default>
 <context>mail</context>
 <context>server</context>