$ssl_protocol

Description

The $ssl_protocol variable in NGINX exposes the specific SSL/TLS protocol version negotiated for a secure connection between a client and the server. This variable is set only when SSL is enabled in the configuration, and it reflects the latest protocol version used for the current request at runtime. It can return values such as 'TLSv1.2', 'TLSv1.3', or 'SSLv3', depending on the protocols enabled in the server's SSL configuration. When utilized, $ssl_protocol is particularly useful for logging and conditional processing within NGINX configurations. For instance, an administrator may want to adjust settings based on the security level of the protocol used. The variable is typically populated during the TLS handshake process, and like other connection-level variables, it can be accessed in various contexts such as location or server blocks. This makes it straightforward to apply conditional logic or enhance security measures based on the protocol version in use. It's important for users to understand that the availability of different protocol values largely depends on the cipher suites and protocols configured in the server block. If a particular protocol version (like TLSv1.3) is not enabled, the value of $ssl_protocol may reflect the next available version that can be negotiated by the server and the client.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Log the SSL protocol used
    access_log /var/log/nginx/ssl_protocol.log 'SSL Protocol: $ssl_protocol';
}