> On 28 Mar 2023, at 18:37, Yaroslav Zhuravlev <y...@nginx.com> wrote: > > > >> On 24 Mar 2023, at 15:30, Maxim Konovalov <ma...@nginx.com> wrote: >> >> Hi Yar, >> >> On 21.03.2023 00:19, Yaroslav Zhuravlev wrote: >>> diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml >>> b/xml/en/docs/http/ngx_http_grpc_module.xml >>> --- a/xml/en/docs/http/ngx_http_grpc_module.xml >>> +++ b/xml/en/docs/http/ngx_http_grpc_module.xml >> [...] >>> @@ -633,7 +633,7 @@ >>> [<literal>TLSv1.1</literal>] >>> [<literal>TLSv1.2</literal>] >>> [<literal>TLSv1.3</literal>]</syntax> >>> -<default>TLSv1 TLSv1.1 TLSv1.2</default> >>> +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> >>> <context>http</context> >>> <context>server</context> >>> <context>location</context> >> >> It makes sense to add a history note here and in other modules that have >> ssl_protocol directive. > > [...] > > Hi Maxim, > > Thank you for the feedback, the patch was accordingly updated: > > # HG changeset patch > # User Yaroslav Zhuravlev <y...@nginx.com> > # Date 1678486627 0 > # Fri Mar 10 22:17:07 2023 +0000 > # Node ID 6096d51ff4d2abecc67b47bc09cfbf03be69f7b0 > # Parent ac7518a1fe1c74daba708e30405a9b5d33f606e1 > Added TLSv1.3 to the default value of ssl_protocols and friends. > > diff --git a/xml/en/docs/http/configuring_https_servers.xml > b/xml/en/docs/http/configuring_https_servers.xml > --- a/xml/en/docs/http/configuring_https_servers.xml > +++ b/xml/en/docs/http/configuring_https_servers.xml > @@ -8,7 +8,7 @@ > <article name="Configuring HTTPS servers" > link="/en/docs/http/configuring_https_servers.html" > lang="en" > - rev="13" > + rev="14" > author="Igor Sysoev" > editor="Brian Mercer"> > > @@ -31,7 +31,7 @@ > server_name www.example.com; > ssl_certificate <b>www.example.com.crt</b>; > ssl_certificate_key <b>www.example.com.key</b>; > - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers HIGH:!aNULL:!MD5; > ... > } > @@ -59,7 +59,7 @@ > can be used to limit connections > to include only the strong versions and ciphers of SSL/TLS. > By default nginx uses > -“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</literal>” > +“<literal>ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</literal>” > and “<literal>ssl_ciphers HIGH:!aNULL:!MD5</literal>”, > so configuring them explicitly is generally not needed. > Note that default values of these directives were > @@ -110,7 +110,7 @@ > > ssl_certificate www.example.com.crt; > ssl_certificate_key www.example.com.key; > - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers HIGH:!aNULL:!MD5; > ... > </programlisting> > @@ -446,6 +446,11 @@ > <list type="bullet"> > > <listitem> > +Version 1.23.4 and later: the default SSL protocols are TLSv1, > +TLSv1.1, TLSv1.2, and TLSv1.3 (if supported by the OpenSSL library). > +</listitem> > + > +<listitem> > Version 1.9.1 and later: the default SSL protocols are TLSv1, > TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library). > </listitem> > diff --git a/xml/en/docs/http/ngx_http_grpc_module.xml > b/xml/en/docs/http/ngx_http_grpc_module.xml > --- a/xml/en/docs/http/ngx_http_grpc_module.xml > +++ b/xml/en/docs/http/ngx_http_grpc_module.xml > @@ -10,7 +10,7 @@ > <module name="Module ngx_http_grpc_module" > link="/en/docs/http/ngx_http_grpc_module.html" > lang="en" > - rev="8"> > + rev="9"> > > <section id="summary"> > > @@ -633,7 +633,7 @@ > [<literal>TLSv1.1</literal>] > [<literal>TLSv1.2</literal>] > [<literal>TLSv1.3</literal>]</syntax> > -<default>TLSv1 TLSv1.1 TLSv1.2</default> > +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> > <context>http</context> > <context>server</context> > <context>location</context> > @@ -642,6 +642,13 @@ > Enables the specified protocols for requests to a gRPC SSL server. > </para> > > +<para> > +<note> > +The <literal>TLSv1.3</literal> parameter is used by default > +since 1.23.4. > +</note> > +</para> > + > </directive> > > > diff --git a/xml/en/docs/http/ngx_http_proxy_module.xml > b/xml/en/docs/http/ngx_http_proxy_module.xml > --- a/xml/en/docs/http/ngx_http_proxy_module.xml > +++ b/xml/en/docs/http/ngx_http_proxy_module.xml > @@ -10,7 +10,7 @@ > <module name="Module ngx_http_proxy_module" > link="/en/docs/http/ngx_http_proxy_module.html" > lang="en" > - rev="75"> > + rev="76"> > > <section id="summary"> > > @@ -2096,7 +2096,7 @@ > [<literal>TLSv1.1</literal>] > [<literal>TLSv1.2</literal>] > [<literal>TLSv1.3</literal>]</syntax> > -<default>TLSv1 TLSv1.1 TLSv1.2</default> > +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> > <context>http</context> > <context>server</context> > <context>location</context> > @@ -2106,6 +2106,13 @@ > Enables the specified protocols for requests to a proxied HTTPS server. > </para> > > +<para> > +<note> > +The <literal>TLSv1.3</literal> parameter is used by default > +since 1.23.4. > +</note> > +</para> > + > </directive> > > > diff --git a/xml/en/docs/http/ngx_http_ssl_module.xml > b/xml/en/docs/http/ngx_http_ssl_module.xml > --- a/xml/en/docs/http/ngx_http_ssl_module.xml > +++ b/xml/en/docs/http/ngx_http_ssl_module.xml > @@ -10,7 +10,7 @@ > <module name="Module ngx_http_ssl_module" > link="/en/docs/http/ngx_http_ssl_module.html" > lang="en" > - rev="59"> > + rev="60"> > > <section id="summary"> > > @@ -76,7 +76,7 @@ > listen 443 ssl; > <emphasis>keepalive_timeout 70;</emphasis> > > - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers > AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; > ssl_certificate /usr/local/nginx/conf/cert.pem; > ssl_certificate_key /usr/local/nginx/conf/cert.key; > @@ -595,7 +595,7 @@ > [<literal>TLSv1.1</literal>] > [<literal>TLSv1.2</literal>] > [<literal>TLSv1.3</literal>]</syntax> > -<default>TLSv1 TLSv1.1 TLSv1.2</default> > +<default>TLSv1 TLSv1.1 TLSv1.2 TLSv1.3</default> > <context>http</context> > <context>server</context> > > @@ -609,6 +609,10 @@ > The <literal>TLSv1.3</literal> parameter (1.13.0) works only when > OpenSSL 1.1.1 or higher is used. > </note> > +<note> > +The <literal>TLSv1.3</literal> parameter is used by default > +since 1.23.4. > +</note> > </para> > > </directive>
[..] Looks good for me. -- Sergey Kandaurov _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
