
Deprecation of Legacy TLS 1.0 and 1.1 Versions - Aaronn
https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
======
petecooper
[Also posted in corresponding discussions for Firefox
([https://news.ycombinator.com/item?id=18223672](https://news.ycombinator.com/item?id=18223672))
and Chrome
([https://news.ycombinator.com/item?id=18221281](https://news.ycombinator.com/item?id=18221281))
]

If you want Nginx to use TLS v1.2, this is what you need:

    
    
      ssl_protocols TLSv1.2;
    

…and if you compile a recent Nginx from source and bake in OpenSSL 1.1.1 while
you do that, you can have TLS v1.3 with a TLS v1.2 fallback, too:

    
    
      ssl_protocols TLSv1.3 TLSv1.2;
    

See also:

[https://caniuse.com/#feat=tls1-2](https://caniuse.com/#feat=tls1-2)

[https://caniuse.com/#feat=tls1-3](https://caniuse.com/#feat=tls1-3)

~~~
stock_toaster
I don't believe the order in "ssl_protocols" has any relevance. The client and
server should negotiate/choose the highest mutually supported protocol
version.

~~~
tialaramex
Yes, as I wrote in one of the three other threads about this co-ordinated
release, the Right Thing isn't a list but a minimum version setting, and if
you really want it, maybe a maximum.

Programs like web servers that expose a list here are doing that because the
libraries they use did that, not because it makes any sense to configure it
this way.

Of course the real fix is to change libraries to offer an appropriate API but
handling the distance between what a pre-existing library does out off the box
and what users want/need is the whole point of application software.

~~~
georgyo
Imagine that TLS 1.3 is found to have a critical flaw and more vulnerable than
TLS 1.2. You then set your min/max to 1.2.

Later TLS 1.4 comes out. How can I allow new TLS 1.4 and existing TLS 1.2
clients without allowing TLS 1.3 clients using your method.

The server software would have to be updated to include a blacklist or go back
to being an ordered list.

~~~
dddddaviddddd
Why not support both configuration strategies?

~~~
lmm
Because that gives the application even more chances to do the wrong thing,
which is what we were trying to avoid.

------
gsnedders
Does this affect other users of NSURL too?

