nginx 0.7.65 and TLS1.2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

nginx 0.7.65 and TLS1.2

Marko Domanović
Long story short, I need nginx 0.7.65 to be able to support TLS1.2.
Seems like it's dependent on openssh version and installed one is 1.0.1t
which seem to support TLS1.2, but "nmap --script ssl-enum-ciphers -p 443
sitename" says only SSLv3 and TLS1.0 are supported. So is there anything
I can to to make nginx 0.7.65 recognize TLS1.2 and use it?

Yeah I know I talk about ancient software here, but I'm in no position
to do very wide upgrades. Debian 6 is the system.

Thanks!

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: nginx 0.7.65 and TLS1.2

Reinis Rozitis
> it's dependent on openssh version and installed one is 1.0.1t

On openssl.


> which seem to support TLS1.2, but "nmap --script ssl-enum-ciphers -p 443
> sitename" says only SSLv3 and TLS1.0 are supported. So is there anything I
> can to to make nginx 0.7.65 recognize TLS1.2 and use it?
>
> Yeah I know I talk about ancient software here, but I'm in no position to do
> very wide upgrades. Debian 6 is the system.


I'm not sure it's supported in nginx in that particular version as:

Changes with nginx 1.1.13                                        16 Jan 2012

    *) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the
       "ssl_protocols" directive.



But is there a reason you can't compile a newer nginx/openssl and use that instead of the 10 year old Debian package?

You can compile/link nginx with openssl statically so it doesn't affect the system package and dependencies in any way:

1. download and extract https://www.openssl.org/source/openssl-1.1.1g.tar.gz
2. download and extract http://nginx.org/download/nginx-1.18.0.tar.gz
3. configure the nginx with: ./configure --with-openssl=path/extracted/openssl-1.1.1g --with-openssl-opt=enable-weak-ssl-ciphers
(obviously add other configure options like --prefix --with-http_ssl_module --with-http_v2_module etc .. you can check the current configuration with 'nginx -V')
4. make

And now you have a nginx binary with statically linked openssl 1.1.1 which has also tls 1.3 support.


rr





_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx 0.7.65 and TLS1.2

Sergey Kandaurov
In reply to this post by Marko Domanović

> On 15 May 2020, at 12:43, Marko Domanović <[hidden email]> wrote:
>
> Long story short, I need nginx 0.7.65 to be able to support TLS1.2.
> Seems like it's dependent on openssh version and installed one is 1.0.1t
> which seem to support TLS1.2, but "nmap --script ssl-enum-ciphers -p 443
> sitename" says only SSLv3 and TLS1.0 are supported. So is there anything
> I can to to make nginx 0.7.65 recognize TLS1.2 and use it?
>

Technically, you could.
You just won't be able to disable this protocol in configuration.

$ printf "GET / HTTP/1.0\n\n" | openssl s_client -connect 127.0.0.1:8081 -ign_eof
...
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
...
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Fri, 15 May 2020 10:14:17 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Fri, 15 May 2020 10:12:53 GMT
Connection: close
Accept-Ranges: bytes

$ ./objs/nginx -V
nginx version: nginx/0.7.65
TLS SNI support enabled

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx