Mercurial > hg > nginx-site
changeset 1499:3687cc9a3592
Removed SSLv3 from the default value of ssl_protocols and friends.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Thu, 28 May 2015 14:48:44 +0300 |
| parents | fa144d919ef9 |
| children | cd534da03d02 |
| files | xml/en/docs/http/configuring_https_servers.xml xml/en/docs/http/ngx_http_proxy_module.xml xml/en/docs/http/ngx_http_ssl_module.xml xml/en/docs/http/ngx_http_uwsgi_module.xml xml/en/docs/mail/ngx_mail_ssl_module.xml xml/en/docs/stream/ngx_stream_proxy_module.xml xml/en/docs/stream/ngx_stream_ssl_module.xml xml/ru/docs/http/configuring_https_servers.xml xml/ru/docs/http/ngx_http_proxy_module.xml xml/ru/docs/http/ngx_http_ssl_module.xml xml/ru/docs/http/ngx_http_uwsgi_module.xml xml/ru/docs/mail/ngx_mail_ssl_module.xml |
| diffstat | 12 files changed, 43 insertions(+), 33 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/http/configuring_https_servers.xml +++ b/xml/en/docs/http/configuring_https_servers.xml @@ -8,7 +8,7 @@ <article name="Configuring HTTPS servers" link="/en/docs/http/configuring_https_servers.html" lang="en" - rev="7" + rev="8" author="Igor Sysoev" editor="Brian Mercer"> @@ -55,12 +55,12 @@ The directives <link doc="ngx_http_ssl_m <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> can be used to limit connections to include only the strong versions and ciphers of SSL/TLS. -Since version 1.0.5, nginx uses -“<literal>ssl_protocols SSLv3 TLSv1</literal>” -and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default, -so configuring them explicitly only makes sense for the earlier nginx versions. -Since versions 1.1.13 and 1.0.12, nginx uses -“<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>” by default. +By default nginx uses +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” +and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, +so configuring them explicitly is generally not needed. +Note that default values of these directives were +<link id="compatibility">changed</link> several times. </para> <para> @@ -470,6 +470,11 @@ The shared SSL session cache has been su <list type="bullet"> <listitem> +Version 1.9.1 and later: the default SSL protocols are TLSv1, +TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). +</listitem> + +<listitem> Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). </listitem>
--- a/xml/en/docs/http/ngx_http_proxy_module.xml +++ b/xml/en/docs/http/ngx_http_proxy_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_proxy_module" link="/en/docs/http/ngx_http_proxy_module.html" lang="en" - rev="37"> + rev="38"> <section id="summary"> @@ -1778,7 +1778,7 @@ appear in the logs, try disabling sessio [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context> <context>location</context>
--- a/xml/en/docs/http/ngx_http_ssl_module.xml +++ b/xml/en/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_ssl_module" link="/en/docs/http/ngx_http_ssl_module.html" lang="en" - rev="18"> + rev="19"> <section id="summary"> @@ -352,7 +352,7 @@ ciphers when using the SSLv3 and TLS pro [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context>
--- a/xml/en/docs/http/ngx_http_uwsgi_module.xml +++ b/xml/en/docs/http/ngx_http_uwsgi_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_uwsgi_module" link="/en/docs/http/ngx_http_uwsgi_module.html" lang="en" - rev="20"> + rev="21"> <section id="summary"> @@ -1273,7 +1273,7 @@ Passphrases are tried in turn when loadi [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context> <context>location</context>
--- a/xml/en/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/en/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_mail_ssl_module" link="/en/docs/mail/ngx_mail_ssl_module.html" lang="en" - rev="6"> + rev="7"> <section id="summary"> @@ -245,7 +245,7 @@ when the SSLv3 and TLS protocols are use [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>mail</context> <context>server</context>
--- a/xml/en/docs/stream/ngx_stream_proxy_module.xml +++ b/xml/en/docs/stream/ngx_stream_proxy_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_stream_proxy_module" link="/en/docs/stream/ngx_stream_proxy_module.html" lang="en" - rev="4"> + rev="5"> <section id="summary"> @@ -306,7 +306,7 @@ appear in the logs, try disabling sessio [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>stream</context> <context>server</context>
--- a/xml/en/docs/stream/ngx_stream_ssl_module.xml +++ b/xml/en/docs/stream/ngx_stream_ssl_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_stream_ssl_module" link="/en/docs/stream/ngx_stream_ssl_module.html" lang="en" - rev="3"> + rev="4"> <section id="summary"> @@ -189,7 +189,7 @@ when the SSLv3 and TLS protocols are use [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>stream</context> <context>server</context>
--- a/xml/ru/docs/http/configuring_https_servers.xml +++ b/xml/ru/docs/http/configuring_https_servers.xml @@ -8,7 +8,7 @@ <article name="Настройка HTTPS-серверов" link="/ru/docs/http/configuring_https_servers.html" lang="ru" - rev="7" + rev="8" author="Игорь Сысоев" editor="Brian Mercer"> @@ -55,12 +55,12 @@ server { <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> можно ограничить соединения использованием только “сильных” версий и шифров SSL/TLS. -Начиная с версии 1.0.5 nginx по умолчанию использует -“<literal>ssl_protocols SSLv3 TLSv1</literal>” и +По умолчанию nginx использует +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” и “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, -поэтому явная их настройка имеет смысл только для более ранних версий nginx. -Начиная с версий 1.1.13 и 1.0.12 nginx по умолчанию использует -“<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>”. +поэтому их явная настройка в общем случае не требуется. +Следует отметить, что значения по умолчанию этих директив несколько раз +<link id="compatibility">менялись</link>. </para> <para> @@ -470,6 +470,11 @@ SNI поддерживается начиная с версии 0.5.32. <list type="bullet"> <listitem> +Версия 1.9.1 и более поздние: протоколами SSL по умолчанию являются +TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL). +</listitem> + +<listitem> Версия 0.7.65, 0.8.19 и более поздние: протоколами SSL по умолчанию являются SSLv3, TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL). </listitem>
--- a/xml/ru/docs/http/ngx_http_proxy_module.xml +++ b/xml/ru/docs/http/ngx_http_proxy_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_proxy_module" link="/ru/docs/http/ngx_http_proxy_module.html" lang="ru" - rev="37"> + rev="38"> <section id="summary"> @@ -1775,7 +1775,7 @@ Server Name Indication протокола TLS</link> (SNI, RFC 6066) [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context> <context>location</context>
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml +++ b/xml/ru/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_ssl_module" link="/ru/docs/http/ngx_http_ssl_module.html" lang="ru" - rev="18"> + rev="19"> <section id="summary"> @@ -352,7 +352,7 @@ http { [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context>
--- a/xml/ru/docs/http/ngx_http_uwsgi_module.xml +++ b/xml/ru/docs/http/ngx_http_uwsgi_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_uwsgi_module" link="/ru/docs/http/ngx_http_uwsgi_module.html" lang="ru" - rev="20"> + rev="21"> <section id="summary"> @@ -1264,7 +1264,7 @@ uwsgi-сервер. [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>http</context> <context>server</context> <context>location</context>
--- a/xml/ru/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/ru/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_mail_ssl_module" link="/ru/docs/mail/ngx_mail_ssl_module.html" lang="ru" - rev="6"> + rev="7"> <section id="summary"> @@ -245,7 +245,7 @@ mail { [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> -<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2</default> <context>mail</context> <context>server</context>