Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 314:95d5dc7c9884
Documented the new "TLSv1.1" and "TLSv1.2" parameters of the
"ssl_protocols" directive.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Fri, 13 Jan 2012 17:58:36 +0000 |
| parents | 4c6d2c614d2c |
| children | a413dffb0557 |
comparison
equal
deleted
inserted
replaced
| 313:16244471304a | 314:95d5dc7c9884 |
|---|---|
| 18 listen 443; | 18 listen 443; |
| 19 server_name www.nginx.com; | 19 server_name www.nginx.com; |
| 20 ssl on; | 20 ssl on; |
| 21 ssl_certificate www.nginx.com.crt; | 21 ssl_certificate www.nginx.com.crt; |
| 22 ssl_certificate_key www.nginx.com.key; | 22 ssl_certificate_key www.nginx.com.key; |
| 23 ssl_protocols SSLv3 TLSv1; | 23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
| 24 ssl_ciphers HIGH:!aNULL:!MD5; | 24 ssl_ciphers HIGH:!aNULL:!MD5; |
| 25 ... | 25 ... |
| 26 } | 26 } |
| 27 </programlisting> | 27 </programlisting> |
| 28 | 28 |
| 48 can be used to limit connections | 48 can be used to limit connections |
| 49 to include only the strong versions and ciphers of SSL/TLS. | 49 to include only the strong versions and ciphers of SSL/TLS. |
| 50 Since version 1.0.5, nginx uses “<literal>ssl_protocols SSLv3 TLSv1</literal>” | 50 Since version 1.0.5, nginx uses “<literal>ssl_protocols SSLv3 TLSv1</literal>” |
| 51 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default, | 51 and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>” by default, |
| 52 so configuring them explicitly only makes sense for the earlier nginx versions. | 52 so configuring them explicitly only makes sense for the earlier nginx versions. |
| 53 Since version 1.1.13, nginx uses | |
| 54 “<literal>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</literal>” by default. | |
| 53 </para> | 55 </para> |
| 54 | 56 |
| 55 <para> | 57 <para> |
| 56 CBC-mode ciphers might be vulnerable to a number of attacks and to | 58 CBC-mode ciphers might be vulnerable to a number of attacks and to |
| 57 the BEAST attack in particular (see | 59 the BEAST attack in particular (see |
| 103 <b>keepalive_timeout 70</b>; | 105 <b>keepalive_timeout 70</b>; |
| 104 | 106 |
| 105 ssl on; | 107 ssl on; |
| 106 ssl_certificate www.nginx.com.crt; | 108 ssl_certificate www.nginx.com.crt; |
| 107 ssl_certificate_key www.nginx.com.key; | 109 ssl_certificate_key www.nginx.com.key; |
| 108 ssl_protocols SSLv3 TLSv1; | 110 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
| 109 ssl_ciphers HIGH:!aNULL:!MD5; | 111 ssl_ciphers HIGH:!aNULL:!MD5; |
| 110 ... | 112 ... |
| 111 </programlisting> | 113 </programlisting> |
| 112 </para> | 114 </para> |
| 113 | 115 |
| 452 | 454 |
| 453 <para> | 455 <para> |
| 454 <list> | 456 <list> |
| 455 | 457 |
| 456 <item> | 458 <item> |
| 457 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3 and TLSv1. | 459 Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, |
| 460 TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). | |
| 458 </item> | 461 </item> |
| 459 | 462 |
| 460 <item> | 463 <item> |
| 461 Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, | 464 Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, |
| 462 SSLv3, and TLSv1. | 465 SSLv3, and TLSv1. |