Mercurial > hg > nginx-site

comparison xml/en/docs/http/configuring_https_servers.xml @ 2948:37e082fd009c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added TLSv1.3 to the default value of ssl_protocols and friends.
author Yaroslav Zhuravlev <yar@nginx.com>
date Fri, 10 Mar 2023 22:17:07 +0000
parents aac9e462320b
children
comparison
equal deleted inserted replaced
2947:39a5ac34d794 2948:37e082fd009c
6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd">
7 7
8 <article name="Configuring HTTPS servers" 8 <article name="Configuring HTTPS servers"
9 link="/en/docs/http/configuring_https_servers.html" 9 link="/en/docs/http/configuring_https_servers.html"
10 lang="en" 10 lang="en"
11 rev="13" 11 rev="14"
12 author="Igor Sysoev" 12 author="Igor Sysoev"
13 editor="Brian Mercer"> 13 editor="Brian Mercer">
14 14
15 <section> 15 <section>
16 16
29 server { 29 server {
30 listen 443 <b>ssl</b>; 30 listen 443 <b>ssl</b>;
31 server_name www.example.com; 31 server_name www.example.com;
32 ssl_certificate <b>www.example.com.crt</b>; 32 ssl_certificate <b>www.example.com.crt</b>;
33 ssl_certificate_key <b>www.example.com.key</b>; 33 ssl_certificate_key <b>www.example.com.key</b>;
34 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 34 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
35 ssl_ciphers HIGH:!aNULL:!MD5; 35 ssl_ciphers HIGH:!aNULL:!MD5;
36 ... 36 ...
37 } 37 }
38 </programlisting> 38 </programlisting>
39 39
57 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and 57 The directives <link doc="ngx_http_ssl_module.xml" id="ssl_protocols"/> and
58 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/> 58 <link doc="ngx_http_ssl_module.xml" id="ssl_ciphers"/>
59 can be used to limit connections 59 can be used to limit connections
60 to include only the strong versions and ciphers of SSL/TLS. 60 to include only the strong versions and ciphers of SSL/TLS.
61 By default nginx uses 61 By default nginx uses
62 “<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” 62 “<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>”
63 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, 63 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”,
64 so configuring them explicitly is generally not needed. 64 so configuring them explicitly is generally not needed.
65 Note that default values of these directives were 65 Note that default values of these directives were
66 <link id="compatibility">changed</link> several times. 66 <link id="compatibility">changed</link> several times.
67 </para> 67 </para>
108 server_name www.example.com; 108 server_name www.example.com;
109 <b>keepalive_timeout 70</b>; 109 <b>keepalive_timeout 70</b>;
110 110
111 ssl_certificate www.example.com.crt; 111 ssl_certificate www.example.com.crt;
112 ssl_certificate_key www.example.com.key; 112 ssl_certificate_key www.example.com.key;
113 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 113 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
114 ssl_ciphers HIGH:!aNULL:!MD5; 114 ssl_ciphers HIGH:!aNULL:!MD5;
115 ... 115 ...
116 </programlisting> 116 </programlisting>
117 </para> 117 </para>
118 118
444 444
445 <para> 445 <para>
446 <list type="bullet"> 446 <list type="bullet">
447 447
448 <listitem> 448 <listitem>
449 Version 1.23.4 and later: the default SSL protocols are TLSv1,
450 TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library).
451 </listitem>
452
453 <listitem>
449 Version 1.9.1 and later: the default SSL protocols are TLSv1, 454 Version 1.9.1 and later: the default SSL protocols are TLSv1,
450 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). 455 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
451 </listitem> 456 </listitem>
452 457
453 <listitem> 458 <listitem>