nginx-1.17.3 and TLS v1.3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

nginx-1.17.3 and TLS v1.3

satay
Hi,

I am new to this forum, but not new to nginx. I am running multiple debian
servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e.

nginx version: nginx/1.14.1
built with OpenSSL 1.1.0f  25 May 2017 (running with OpenSSL 1.1.1c  28 May
2019)
TLS SNI support enabled

To prevent the servers agains the new bugs, I tried to upgrade directly to
1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3
is not running anymore:

nginx version: nginx/1.17.3
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1c  28 May
2019)
TLS SNI support enabled

Where is the error?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285294,285294#msg-285294

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx-1.17.3 and TLS v1.3

targon
I suggest you consider investigating Intels' Clear Linux.




read specifically about swupd and bundles.

This is a ’Stateless’ OS

In particular to your issues, on Clear Linux you'd install nginx-mainline bundle,
all the source packages and dependancies are tested with the bundle before distribution to swupd

Example, the nginx-mainline bundle version requires lib-openssl, the and only compatible tested lib-openssl package version will be included. 

This strategy eliminates all those fragmented dependancy issues every other Linux distro, where you install nginx but you’ve no real idea what openssl version is going to work with it.

Admittedly, Clear Linux is a little unfamiliar at first but give it a try, there’s far less headaches to deal with than other the ‘popular’ distros.

Apologies for not addressing your issue directly.

On 15 Aug 2019, at 21:05, TC_Hessen <[hidden email]> wrote:

Hi,

I am new to this forum, but not new to nginx. I am running multiple debian
servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e.

nginx version: nginx/1.14.1
built with OpenSSL 1.1.0f  25 May 2017 (running with OpenSSL 1.1.1c  28 May
2019)
TLS SNI support enabled

To prevent the servers agains the new bugs, I tried to upgrade directly to
1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3
is not running anymore:

nginx version: nginx/1.17.3
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1c  28 May
2019)
TLS SNI support enabled

Where is the error?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285294,285294#msg-285294

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx-1.17.3 and TLS v1.3

Maxim Dounin
In reply to this post by satay
Hello!

On Thu, Aug 15, 2019 at 09:05:42AM -0400, TC_Hessen wrote:

> Hi,
>
> I am new to this forum, but not new to nginx. I am running multiple debian
> servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e.
>
> nginx version: nginx/1.14.1
> built with OpenSSL 1.1.0f  25 May 2017 (running with OpenSSL 1.1.1c  28 May
> 2019)
> TLS SNI support enabled
>
> To prevent the servers agains the new bugs, I tried to upgrade directly to
> 1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3
> is not running anymore:
>
> nginx version: nginx/1.17.3
> built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
> built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1c  28 May
> 2019)
> TLS SNI support enabled
>
> Where is the error?

OS you are using is shipped with OpenSSL 1.1.0j, and nginx is
built with this old OpenSSL version.  As such, TLSv1.3 is not
available.

There was a bug which made TLSv1.3 always enabled when was
compiled with OpenSSL 1.1.0 and running with OpenSSL 1.1.1, it was
fixed in nginx 1.15.6 and 1.14.2 (quote from
http://nginx.org/en/CHANGES-1.14):

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

Since you were using nginx 1.14.1 previously, TLS 1.3 was enabled
due to this bug.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx