Lately i was playing with openresty and lua-resty-auto-ssl and can't find how to disable TLS 1.0 and TLS 1.1, (and add ciphers). I just read whole internet twice, and found nothing. In nginx is simple one line ssl_protocols TLSv1.3 TLSv1.2; but its not affecting lua-resty-auto-ssl i have no idea how to do it, would be nice if someone could shed some light on this topic.
Asked
Active
Viewed 876 times
2
Abc Xyz
- 1,184
- 12
- 13
-
'Auto generated certs' have nothing to do with it. The TLS protocol version is determined by the applications, not by the certificates. Off topic. – user207421 Jul 29 '20 at 04:02
2 Answers
2
-
This didn't work for me. It doesn't limit the SSL version. Are you able to provide a gist of your nginx.conf? – silverdagger Nov 03 '20 at 02:30
-
https://github.com/openresty/lua-nginx-module#lua_ssl_protocols i found answer here. The values are not for limit (blacklist) ssl but are like whitelist, so in this answer only TLSv1.2 and TLSv1.3 are allowed. – Abc Xyz Nov 03 '20 at 18:43
-
You can test your openresty configuration here https://www.ssllabs.com/ssltest and be sure you using openresty not nginx. – Abc Xyz Nov 03 '20 at 18:51
0
OpenResty on bionic using the docker container with the auto-ssl lua component on our production system required that we simply use the standard directive ssl_protocols TLSv1.2 TLSv1.3; inside the http section. This is currently working for us as shown here:
➜ http --ssl=tls1.1 https://my-custom-domain.foo.com/my-special-page --output tmp.html
http: error: SSLError: HTTPSConnectionPool(host='my-custom-domain.foo.com', port=443): Max retries exceeded with url: /my-special-page (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1122)'))) ...
I hope this can be clarifying for some people as using the lua_ssl_protocols directive didn't work for me.
silverdagger
- 1,124
- 13
- 37