Want to subscribe to topics you're interested in?
Become a Member

Nginx Suggestion for SSL Configuration

Discussion in 'Feature Requests & Suggestions' started by rdan, Dec 4, 2019.

  1. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    4:47 AM
    Mainline
    10.2
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Besides the ssl_protocols difference, ssl ciphers will end up pretty much the same for TLSv1.2 and TLSv1.3 requests. Reason why other additional ssl ciphers are there is Centmin Mod Nginx just doesn't support OpenSSL 1.1.1, it can support OpenSSL 1.0.2/LibreSSL and BoringSSL and CF BoringSSL + Quiche so requests a wider range of ssl ciphers listed and also supports TLSv1.0 and TLSv1.1 by default. Those ssl cipehrs aren't used if OpenSSL/BoringSSL/LibreSSL don't use them and/or if ssl protocol doesn't support them i.e. if min ssl_protocols is TLSv1.2 and TLSv1.3 only.

    Soon TLSv1.0 and TLSv1.1 will be deprecated by Jan 2020 IIRC next month by major web browsers, so minor/alternate browsers that don't support TLSv1.2 or TLSv1.3 won't be able to connect to TLSv1.0 or TLSv1.1 servers. But because Centmin Mod Nginx lists TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 support, browsers that do support TLSv1.2 and TLSv1.3 will work fine.

    Note browsers are only one type of client that can possible connect to Nginx. Others like curl, wget etc as well.

    So Centmin Mod's config is the way it is due to needing to support more than one crypto library in Nginx chosen by end user though default is OpenSSL 1.1.1 branch.