Mercurial > hg > nginx-quic
annotate conf/fastcgi.conf @ 7420:b3a4f6d23e82 stable-1.14
SSL: enabled TLSv1.3 with BoringSSL.
BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3. This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.
With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set. This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3. This seems to be a good
change, as enabling unknown protocols might have unexpected results.
Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0. This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.
Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 07 Aug 2018 02:15:28 +0300 |
parents | 62869a9b2e7d |
children |
rev | line source |
---|---|
537 | 1 |
3383 | 2 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
537 | 3 fastcgi_param QUERY_STRING $query_string; |
4 fastcgi_param REQUEST_METHOD $request_method; | |
5 fastcgi_param CONTENT_TYPE $content_type; | |
6 fastcgi_param CONTENT_LENGTH $content_length; | |
7 | |
8 fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
9 fastcgi_param REQUEST_URI $request_uri; | |
10 fastcgi_param DOCUMENT_URI $document_uri; | |
11 fastcgi_param DOCUMENT_ROOT $document_root; | |
12 fastcgi_param SERVER_PROTOCOL $server_protocol; | |
6168
62869a9b2e7d
Added the REQUEST_SCHEME parameter.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4379
diff
changeset
|
13 fastcgi_param REQUEST_SCHEME $scheme; |
4379
4e2551a83291
Added the HTTPS fastcgi_param to fastcgi.conf.
Valentin Bartenev <vbart@nginx.com>
parents:
3383
diff
changeset
|
14 fastcgi_param HTTPS $https if_not_empty; |
537 | 15 |
16 fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
1330 | 17 fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; |
537 | 18 |
19 fastcgi_param REMOTE_ADDR $remote_addr; | |
20 fastcgi_param REMOTE_PORT $remote_port; | |
21 fastcgi_param SERVER_ADDR $server_addr; | |
22 fastcgi_param SERVER_PORT $server_port; | |
23 fastcgi_param SERVER_NAME $server_name; | |
24 | |
25 # PHP only, required if PHP was built with --enable-force-cgi-redirect | |
26 fastcgi_param REDIRECT_STATUS 200; |