Merge pull request #56233 from jtojnar/nginx-tlsv13

nixos/nginx: Enable TLS 1.3 support
2024-11-01 07:01:54 +00:00 · 2019-03-03 14:19:38 +01:00 · 2019-03-03 14:19:38 +01:00 · 768336a74b
commit 768336a74b
parent 20b066356a f93ff28c62
3 changed files with 7 additions and 2 deletions
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -677,6 +677,9 @@
       This may break some older applications that still rely on those symbols.
       An upgrade guide can be found <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
     </para>
+    <para>
+     The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using <xref linkend="opt-services.nginx.sslProtocols"/>.
+    </para>
   </listitem>
   <listitem>
     <para>
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -491,8 +491,8 @@ in

      sslProtocols = mkOption {
        type = types.str;
-        default = "TLSv1.2";
-        example = "TLSv1 TLSv1.1 TLSv1.2";
+        default = "TLSv1.2 TLSv1.3";
+        example = "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3";
        description = "Allowed TLS protocol versions.";
      };

--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -13734,12 +13734,14 @@ in
    # We don't use `with` statement here on purpose!
    # See https://github.com/NixOS/nixpkgs/pull/10474/files#r42369334
    modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];
+    openssl = openssl_1_1;
  };

  nginxMainline = callPackage ../servers/http/nginx/mainline.nix {
    # We don't use `with` statement here on purpose!
    # See https://github.com/NixOS/nixpkgs/pull/10474/files#r42369334
    modules = [ nginxModules.dav nginxModules.moreheaders ];
+    openssl = openssl_1_1;
  };

  nginxModules = callPackage ../servers/http/nginx/modules.nix { };