0

For security I have to setup a nginx server with TLSv1.1 or TLS v1.2. By default, nginx configuresTLSv1.

Reading the documentation I see that nginx has to set the following directive:

ssl_protocols TLSv1.1 TLSv1.2;

http://nginx.org/en/docs/http/configuring_https_servers.html

But when I run the command:

# /etc/init.d/nginx configtest

Following message appears:

Testing nginx configuration: [warn]: invalid value "TLSv1.1" in /etc/nginx/nginx.conf: 175 configuration file /etc/nginx/nginx.conf test failed

Is documentation lies?

platform is Debian Squeeze and nginx version is 0.7.67

thanks

Gon
  • 91
  • 1
  • 2
  • 8

2 Answers2

3

According to archive.org ( http://web.archive.org/web/20120116033748/http://nginx.org/en/docs/http/configuring_https_servers.html ) TLSv1.2 support was added between january and february 2012. Nginx 0.7.67 is from 2010.

You might want to use the backport of nginx 1.2 ( http://packages.debian.org/search?keywords=nginx ) and you almost certainly want to look into upgrading the OS :P

Shish
  • 1,502
  • 9
  • 12
  • Thanks for responding Apart from updating nginx, would need to update the openssl package or version already supports 0.9.8o TLSv1.1 and TLSv1.2? – Gon Sep 13 '13 at 09:50
  • @Gon At this point squeeze is so ancient you're almost certainly better off rebuilding the server on an up-to-date distribution, which Debian almost never is. – Michael Hampton Sep 15 '13 at 21:36
2

openssl @ squeeze is: OpenSSL 0.9.8o 01 Jun 2010, but you'll need 1.0.1x, so you'll have download openssl-sources and tell nginx @ compile-time which version to use:

./configure ... --with-http_ssl_module  \
                --with-openssl=/path/to/openssl_source/ ...

i wouldnt recommend to update the system's openssl-packages from backports et al.

that guy from over there
  • 1,355
  • 10
  • 11