Old TLS protocols 1.0 and 1.1 not used even when specified in hitch.conf

Question

Old TLS protocols 1.0 and 1.1 not used even when specified in hitch.conf

alexcernat opened this issue 5 years ago · 1 comments

Version 1.5.0-1 on Debian 10.
tls-protos = TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

Even all TLS protocols are specified, only v1.2 and v1.3 are available (tested with qualys ssl tester).

Actually it's not necessarily a hitch bug, but an openssl 1.1.x configuration issue. The minimum server global configuration version was bumped to v1.2, but any program can "override" this behavior (for example nginx does this without any special openssl configuration, just by specifying desired protocols in nginx.conf).

From /etc/ssl/openssl.cnf (path may vary on your distribution):
[system_default_sect]
#MinProtocol = TLSv1.2
MinProtocol = TLSv1

Changing also CipherString parameter is not necessary (maybe only when supporting some very-very-very old browsers).

With this settings (default ones left commented) you can enable in hitch protocols tls v1.0 and v1.1 for old clients.
I think this should be at least in the documentation, if the code can't support it (as nginx does).

Answer 1 · 2020-06-23T09:07:26.000Z

Hi @alexcernat

Thanks a lot. I added some notes for this in the docs, see https://github.com/varnish/hitch/blob/master/hitch.conf.man.rst#tls-protos--