Mercurial > hg > nginx-site
changeset 2948:37e082fd009c
Added TLSv1.3 to the default value of ssl_protocols and friends.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Fri, 10 Mar 2023 22:17:07 +0000 |
| parents | 39a5ac34d794 |
| children | 1cff7cdb78da |
| files | xml/en/docs/http/configuring_https_servers.xml xml/en/docs/http/ngx_http_grpc_module.xml xml/en/docs/http/ngx_http_proxy_module.xml xml/en/docs/http/ngx_http_ssl_module.xml xml/en/docs/http/ngx_http_uwsgi_module.xml xml/en/docs/mail/ngx_mail_ssl_module.xml xml/en/docs/stream/ngx_stream_proxy_module.xml xml/en/docs/stream/ngx_stream_ssl_module.xml xml/ru/docs/http/configuring_https_servers.xml xml/ru/docs/http/ngx_http_grpc_module.xml xml/ru/docs/http/ngx_http_proxy_module.xml xml/ru/docs/http/ngx_http_ssl_module.xml xml/ru/docs/http/ngx_http_uwsgi_module.xml xml/ru/docs/mail/ngx_mail_ssl_module.xml xml/ru/docs/stream/ngx_stream_proxy_module.xml xml/ru/docs/stream/ngx_stream_ssl_module.xml |
| diffstat | 16 files changed, 132 insertions(+), 42 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/http/configuring_https_servers.xml +++ b/xml/en/docs/http/configuring_https_servers.xml @@ -8,7 +8,7 @@ <article name="Configuring HTTPS servers" link="/en/docs/http/configuring_https_servers.html" lang="en" - rev="13" + rev="14" author="Igor Sysoev" editor="Brian Mercer"> @@ -31,7 +31,7 @@ server { server_name www.example.com; ssl_certificate <b>www.example.com.crt</b>; ssl_certificate_key <b>www.example.com.key</b>; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ... } @@ -59,7 +59,7 @@ The directives <link doc="ngx_http_ssl_m can be used to limit connections to include only the strong versions and ciphers of SSL/TLS. By default nginx uses -“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, so configuring them explicitly is generally not needed. Note that default values of these directives were @@ -110,7 +110,7 @@ http { ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ... </programlisting> @@ -446,6 +446,11 @@ The shared SSL session cache has been su <list type="bullet"> <listitem> +Version 1.23.4 and later: the default SSL protocols are TLSv1, +TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library). +</listitem> + +<listitem> Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). </listitem>
--- a/xml/en/docs/http/ngx_http_grpc_module.xml +++ b/xml/en/docs/http/ngx_http_grpc_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_grpc_module" link="/en/docs/http/ngx_http_grpc_module.html" lang="en" - rev="8"> + rev="9"> <section id="summary"> @@ -633,7 +633,7 @@ Passphrases are tried in turn when loadi [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -642,6 +642,13 @@ Passphrases are tried in turn when loadi Enables the specified protocols for requests to a gRPC SSL server. </para> +<para> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> +</para> + </directive>
--- a/xml/en/docs/http/ngx_http_proxy_module.xml +++ b/xml/en/docs/http/ngx_http_proxy_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_proxy_module" link="/en/docs/http/ngx_http_proxy_module.html" lang="en" - rev="75"> + rev="76"> <section id="summary"> @@ -2096,7 +2096,7 @@ Passphrases are tried in turn when loadi [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -2106,6 +2106,13 @@ Passphrases are tried in turn when loadi Enables the specified protocols for requests to a proxied HTTPS server. </para> +<para> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> +</para> + </directive>
--- a/xml/en/docs/http/ngx_http_ssl_module.xml +++ b/xml/en/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_ssl_module" link="/en/docs/http/ngx_http_ssl_module.html" lang="en" - rev="59"> + rev="60"> <section id="summary"> @@ -76,7 +76,7 @@ http { listen 443 ssl; <emphasis>keepalive_timeout 70;</emphasis> - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -595,7 +595,7 @@ ciphers when using the SSLv3 and TLS pro [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> @@ -609,6 +609,10 @@ The <literal>TLSv1.1</literal> and <lite The <literal>TLSv1.3</literal> parameter (1.13.0) works only when OpenSSL 1.1.1 or higher is used. </note> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> </para> </directive>
--- a/xml/en/docs/http/ngx_http_uwsgi_module.xml +++ b/xml/en/docs/http/ngx_http_uwsgi_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_uwsgi_module" link="/en/docs/http/ngx_http_uwsgi_module.html" lang="en" - rev="49"> + rev="50"> <section id="summary"> @@ -1546,7 +1546,7 @@ Passphrases are tried in turn when loadi [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -1556,6 +1556,13 @@ Passphrases are tried in turn when loadi Enables the specified protocols for requests to a secured uwsgi server. </para> +<para> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> +</para> + </directive>
--- a/xml/en/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/en/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_mail_ssl_module" link="/en/docs/mail/ngx_mail_ssl_module.html" lang="en" - rev="26"> + rev="27"> <section id="summary"> @@ -69,7 +69,7 @@ mail { server { listen 993 ssl; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -420,7 +420,7 @@ when the SSLv3 and TLS protocols are use [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>mail</context> <context>server</context> @@ -434,6 +434,10 @@ The <literal>TLSv1.1</literal> and <lite The <literal>TLSv1.3</literal> parameter (1.13.0) works only when OpenSSL 1.1.1 or higher is used. </note> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> </para> </directive>
--- a/xml/en/docs/stream/ngx_stream_proxy_module.xml +++ b/xml/en/docs/stream/ngx_stream_proxy_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_stream_proxy_module" link="/en/docs/stream/ngx_stream_proxy_module.html" lang="en" - rev="31"> + rev="32"> <section id="summary"> @@ -543,7 +543,7 @@ Passphrases are tried in turn when loadi [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>stream</context> <context>server</context> @@ -551,6 +551,13 @@ Passphrases are tried in turn when loadi Enables the specified protocols for connections to a proxied server. </para> +<para> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> +</para> + </directive>
--- a/xml/en/docs/stream/ngx_stream_ssl_module.xml +++ b/xml/en/docs/stream/ngx_stream_ssl_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_stream_ssl_module" link="/en/docs/stream/ngx_stream_ssl_module.html" lang="en" - rev="31"> + rev="32"> <section id="summary"> @@ -62,7 +62,7 @@ stream { server { listen 12345 ssl; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -444,7 +444,7 @@ when the SSLv3 and TLS protocols are use [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>stream</context> <context>server</context> @@ -458,6 +458,10 @@ only when OpenSSL 1.0.1 or higher is use The <literal>TLSv1.3</literal> parameter (1.13.0) works only when OpenSSL 1.1.1 or higher is used. </note> +<note> +The <literal>TLSv1.3</literal> parameter is used by default +since 1.23.4. +</note> </para> </directive>
--- a/xml/ru/docs/http/configuring_https_servers.xml +++ b/xml/ru/docs/http/configuring_https_servers.xml @@ -8,7 +8,7 @@ <article name="Настройка HTTPS-серверов" link="/ru/docs/http/configuring_https_servers.html" lang="ru" - rev="13" + rev="14" author="Игорь Сысоев" editor="Brian Mercer"> @@ -30,7 +30,7 @@ server { server_name www.example.com; ssl_certificate <b>www.example.com.crt</b>; ssl_certificate_key <b>www.example.com.key</b>; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ... } @@ -58,7 +58,7 @@ server { можно ограничить соединения использованием только “сильных” версий и шифров SSL/TLS. По умолчанию nginx использует -“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” и +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” и “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, поэтому их явная настройка в общем случае не требуется. Следует отметить, что значения по умолчанию этих директив несколько раз @@ -108,7 +108,7 @@ http { ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ... </programlisting> @@ -445,6 +445,11 @@ SNI поддерживается начиная с версии 0.5.23. <list type="bullet"> <listitem> +Версия 1.23.4 и более поздние: протоколами SSL по умолчанию являются +TLSv1, TLSv1.1, TLSv1.2 и TLSv1.3 (если поддерживается библиотекой OpenSSL). +</listitem> + +<listitem> Версия 1.9.1 и более поздние: протоколами SSL по умолчанию являются TLSv1, TLSv1.1 и TLSv1.2 (если поддерживается библиотекой OpenSSL). </listitem>
--- a/xml/ru/docs/http/ngx_http_grpc_module.xml +++ b/xml/ru/docs/http/ngx_http_grpc_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_grpc_module" link="/ru/docs/http/ngx_http_grpc_module.html" lang="ru" - rev="8"> + rev="9"> <section id="summary"> @@ -632,7 +632,7 @@ OpenSSL [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -641,6 +641,13 @@ OpenSSL Разрешает указанные протоколы для запросов к gRPC SSL-серверу. </para> +<para> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> +</para> + </directive>
--- a/xml/ru/docs/http/ngx_http_proxy_module.xml +++ b/xml/ru/docs/http/ngx_http_proxy_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_proxy_module" link="/ru/docs/http/ngx_http_proxy_module.html" lang="ru" - rev="75"> + rev="76"> <section id="summary"> @@ -2098,7 +2098,7 @@ OpenSSL [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -2108,6 +2108,13 @@ OpenSSL Разрешает указанные протоколы для запросов к проксируемому HTTPS-серверу. </para> +<para> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> +</para> + </directive>
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml +++ b/xml/ru/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_ssl_module" link="/ru/docs/http/ngx_http_ssl_module.html" lang="ru" - rev="59"> + rev="60"> <section id="summary"> @@ -76,7 +76,7 @@ http { listen 443 ssl; <emphasis>keepalive_timeout 70;</emphasis> - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -600,7 +600,7 @@ http { [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> @@ -614,6 +614,10 @@ http { Параметр <literal>TLSv1.3</literal> (1.13.0) работает только при использовании OpenSSL 1.1.1 и выше. </note> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> </para> </directive>
--- a/xml/ru/docs/http/ngx_http_uwsgi_module.xml +++ b/xml/ru/docs/http/ngx_http_uwsgi_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_uwsgi_module" link="/ru/docs/http/ngx_http_uwsgi_module.html" lang="ru" - rev="49"> + rev="50"> <section id="summary"> @@ -1542,7 +1542,7 @@ OpenSSL [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>http</context> <context>server</context> <context>location</context> @@ -1552,6 +1552,13 @@ OpenSSL Разрешает указанные протоколы для запросов к suwsgi-серверу. </para> +<para> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> +</para> + </directive>
--- a/xml/ru/docs/mail/ngx_mail_ssl_module.xml +++ b/xml/ru/docs/mail/ngx_mail_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_mail_ssl_module" link="/ru/docs/mail/ngx_mail_ssl_module.html" lang="ru" - rev="26"> + rev="27"> <section id="summary"> @@ -69,7 +69,7 @@ mail { server { listen 993 ssl; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -422,7 +422,7 @@ mail { [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>mail</context> <context>server</context> @@ -436,6 +436,10 @@ mail { Параметр <literal>TLSv1.3</literal> (1.13.0) работает только при использовании OpenSSL 1.1.1 и выше. </note> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> </para> </directive>
--- a/xml/ru/docs/stream/ngx_stream_proxy_module.xml +++ b/xml/ru/docs/stream/ngx_stream_proxy_module.xml @@ -9,7 +9,7 @@ <module name="Модуль ngx_stream_proxy_module" link="/ru/docs/stream/ngx_stream_proxy_module.html" lang="ru" - rev="31"> + rev="32"> <section id="summary"> @@ -543,7 +543,7 @@ OpenSSL [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>stream</context> <context>server</context> @@ -551,6 +551,13 @@ OpenSSL Разрешает указанные протоколы для соединений с проксируемым сервером. </para> +<para> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> +</para> + </directive>
--- a/xml/ru/docs/stream/ngx_stream_ssl_module.xml +++ b/xml/ru/docs/stream/ngx_stream_ssl_module.xml @@ -9,7 +9,7 @@ <module name="Модуль ngx_stream_ssl_module" link="/ru/docs/stream/ngx_stream_ssl_module.html" lang="ru" - rev="31"> + rev="32"> <section id="summary"> @@ -62,7 +62,7 @@ stream { server { listen 12345 ssl; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; @@ -447,7 +447,7 @@ stream { [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>] [<literal>TLSv1.3</literal>]</syntax> -<default>TLSv1 TLSv1.1 TLSv1.2</default> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> <context>stream</context> <context>server</context> @@ -461,6 +461,10 @@ stream { Параметр <literal>TLSv1.3</literal> (1.13.0) работает только при использовании OpenSSL 1.1.1 и выше. </note> +<note> +Параметр <literal>TLSv1.3</literal> используется по умолчанию +начиная с 1.23.4. +</note> </para> </directive>