Score:0

support a specific tls version for nginx server block

cn flag

Our nginx server hosts multiple server blocks(hosts), which share the same ssl_protocols (TLSv1.1 TLSv1.2).

    http{
      ssl_protocols TLSv1.1 TLSv1.2
    }

Recently, TLS for one host needs to be upgraded to TLSV1.3 and should not support any version under 1.3 for compliance, while other hosts should keep the same (some of their clients still use 1.2 and 1.1) for compatible purpose.

I tried add

   server {
      ssl_protocols TLSv1.3
   }

in the corresponding server block with the expection that instruction ssl_protocols can inside of server can overwrite the outside one. But the scan test shows that it is combination of all ssl_protocols instead of overwriting.

Is there any other solution for this issue: support a specific TLS version for a server without supporting other lower version.

muru avatar
us flag
`ssl_protocols` is used for enabling, so you should remove the global `http` block `ssl_protocols TLSv1.1 TLSv1.2` and add that to the `server` blocks that require those to be enabled
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.