no TLS1.3 with 1.15.5

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

no TLS1.3 with 1.15.5

nginx mailing list
Hello, everyone.

I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.

Below is some info about my config.

Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic

nginx compile options: nginx/1.15.5 (Ubuntu)
built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug

/etc/nginx/sites-available/default:

ssl_session_cache shared:SSL:1m;

server {

ssl_early_data on;
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
ssl_ecdh_curve secp521r1:secp384r1;

}

I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.

Any help would be much appreciated.

Bogdan

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

A. Schulze


Am 03.11.18 um 19:14 schrieb Bogdan via nginx:

> Hello, everyone.
>
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>
> Below is some info about my config.
>
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
>
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1  11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1
> --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug

Hello Bogdan,

while I have not really a helpful suggestion for you I noticed you disabled "nextprotoneg" for openssl.
May I kindly ask why you do so?

> /etc/nginx/sites-available/default:
>
> ssl_session_cache shared:SSL:1m;
>
> server {
>
> ssl_early_data on;
that one I did not know, so thanks for the hint.

> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> ssl_ecdh_curve secp521r1:secp384r1;

try to disable as many option as possible. I would start leaving ssl_dhparam, stapling, ciphers and curve options on defaults.

> }
>
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
Also using "openssl s_client" is a good method for measurement.

>
> Any help would be much appreciated.
are you sure, nginx is really not build against distribution's openssl _not_ supporting TLS1.3?

>
> Bogdan

Good luck!
Andreas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

nginx mailing list
Hi, Andreas!


I disabled NPN (Next Protocol Negotiation) because, as far as I know (not very far and it comes from what I've read, since I am not an expert), ALPN with HTTP/2 is more efficient and offers lower latency. Google also dropped support for NPN in their Chrome browser.

Indeed I tried to disable as many lines as possible, but the compiling options for nginx weren't the culprit. The distribution's openssl was also compiled from scratch (v1.1.1), so there was no chance that on my system I was been using versions of software which were not able to offer TLS1.3 support.

The problem was that in /etc/nginx/nginx.conf I had this line which I missed:

ssl_protocols TLSv1.2;

It was a configuration error on my part, so updating the line as follows solved the problem:

ssl_protocols TLSv1.2 TLSv1.3;

A great trouble for a only a few missing characters, but once the trouble is gone, the server runs greatly. :)



Thank you for your suggestions!

Bogdan




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, November 4, 2018 2:31 PM, A. Schulze <[hidden email]> wrote:

> Am 03.11.18 um 19:14 schrieb Bogdan via nginx:
>
> > Hello, everyone.
> > I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
> > Below is some info about my config.
> > Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
> > nginx compile options: nginx/1.15.5 (Ubuntu)
> > built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> > built with OpenSSL 1.1.1  11 Sep 2018
> > TLS SNI support enabled
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1
> > --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>
> Hello Bogdan,
>
> while I have not really a helpful suggestion for you I noticed you disabled "nextprotoneg" for openssl.
> May I kindly ask why you do so?
>
> > /etc/nginx/sites-available/default:
> > ssl_session_cache shared:SSL:1m;
> > server {
> > ssl_early_data on;
>
> that one I did not know, so thanks for the hint.
>
> > ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> > ssl_session_timeout 5m;
> > ssl_stapling on;
> > ssl_stapling_verify on;
> > ssl_prefer_server_ciphers on;
> > ssl_protocols TLSv1.2 TLSv1.3;
> > ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> > ssl_ecdh_curve secp521r1:secp384r1;
>
> try to disable as many option as possible. I would start leaving ssl_dhparam, stapling, ciphers and curve options on defaults.
>
> > }
> > I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Also using "openssl s_client" is a good method for measurement.
>
> > Any help would be much appreciated.
>
> are you sure, nginx is really not build against distribution's openssl not supporting TLS1.3?
>
> > Bogdan
>
> Good luck!
> Andreas
>
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

Alex Samad
Hi

Don't you need a openssl that works with 1.3 as well.
My sticking point is centos 6 - no openssl that comes with 1.3 - as far as i know

A

On Mon, 5 Nov 2018 at 06:10, Bogdan via nginx <[hidden email]> wrote:
Hi, Andreas!


I disabled NPN (Next Protocol Negotiation) because, as far as I know (not very far and it comes from what I've read, since I am not an expert), ALPN with HTTP/2 is more efficient and offers lower latency. Google also dropped support for NPN in their Chrome browser.

Indeed I tried to disable as many lines as possible, but the compiling options for nginx weren't the culprit. The distribution's openssl was also compiled from scratch (v1.1.1), so there was no chance that on my system I was been using versions of software which were not able to offer TLS1.3 support.

The problem was that in /etc/nginx/nginx.conf I had this line which I missed:

ssl_protocols TLSv1.2;

It was a configuration error on my part, so updating the line as follows solved the problem:

ssl_protocols TLSv1.2 TLSv1.3;

A great trouble for a only a few missing characters, but once the trouble is gone, the server runs greatly. :)



Thank you for your suggestions!

Bogdan




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, November 4, 2018 2:31 PM, A. Schulze <[hidden email]> wrote:

> Am 03.11.18 um 19:14 schrieb Bogdan via nginx:
>
> > Hello, everyone.
> > I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
> > Below is some info about my config.
> > Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
> > nginx compile options: nginx/1.15.5 (Ubuntu)
> > built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> > built with OpenSSL 1.1.1  11 Sep 2018
> > TLS SNI support enabled
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1
> > --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>
> Hello Bogdan,
>
> while I have not really a helpful suggestion for you I noticed you disabled "nextprotoneg" for openssl.
> May I kindly ask why you do so?
>
> > /etc/nginx/sites-available/default:
> > ssl_session_cache shared:SSL:1m;
> > server {
> > ssl_early_data on;
>
> that one I did not know, so thanks for the hint.
>
> > ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> > ssl_session_timeout 5m;
> > ssl_stapling on;
> > ssl_stapling_verify on;
> > ssl_prefer_server_ciphers on;
> > ssl_protocols TLSv1.2 TLSv1.3;
> > ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> > ssl_ecdh_curve secp521r1:secp384r1;
>
> try to disable as many option as possible. I would start leaving ssl_dhparam, stapling, ciphers and curve options on defaults.
>
> > }
> > I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Also using "openssl s_client" is a good method for measurement.
>
> > Any help would be much appreciated.
>
> are you sure, nginx is really not build against distribution's openssl not supporting TLS1.3?
>
> > Bogdan
>
> Good luck!
> Andreas
>
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

Maxim Dounin
In reply to this post by nginx mailing list
Hello!

On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:

> Hello, everyone.
>
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>
> Below is some info about my config.
>
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
>
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1  11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bi
 n/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug

>
> /etc/nginx/sites-available/default:
>
> ssl_session_cache shared:SSL:1m;
>
> server {
>
> ssl_early_data on;
> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> ssl_ecdh_curve secp521r1:secp384r1;
>
> }
>
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Any help would be much appreciated.

Make sure you have properly configured ssl_protocols in the
default server for the listen socket in question.  If unsure,
configure ssl_protocols at the http{} level.

Note well that testing using "openssl s_client" from the OpenSSL
library you've built nginx with is the most reliable approach, as it
ensures that proper TLSv1.3 variant is used by the client.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

Jeff Dyke
Hi.  I know this does not solve the problem, but curious if  you found a package that was compiled with 1.1.1 or compile it yourself.  Generally i like to avoid the later as everything is managed through salt, but am interested in TLSv1.3

Thanks,
Jeff

On Tue, Nov 6, 2018 at 1:19 PM Maxim Dounin <[hidden email]> wrote:
Hello!

On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:

> Hello, everyone.
>
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>
> Below is some info about my config.
>
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
>
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1  11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bi
 n/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>
> /etc/nginx/sites-available/default:
>
> ssl_session_cache shared:SSL:1m;
>
> server {
>
> ssl_early_data on;
> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> ssl_ecdh_curve secp521r1:secp384r1;
>
> }
>
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Any help would be much appreciated.

Make sure you have properly configured ssl_protocols in the
default server for the listen socket in question.  If unsure,
configure ssl_protocols at the http{} level.

Note well that testing using "openssl s_client" from the OpenSSL
library you've built nginx with is the most reliable approach, as it
ensures that proper TLSv1.3 variant is used by the client.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: no TLS1.3 with 1.15.5

nginx mailing list
Hello!

I am sorry for the late aswer. I never install any compiled packages except for the ones that can be pulled from Ubuntu's official repositories. Since 1.15.5 was not available yet (and the one that was available was compiled against a SSL version which didn't support TLS1.3), I had retrieve the source code for both and do all the hard and fun work myself. :)

Seeing how it works, I believe that it's worth all the trouble.

Bogdan




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, November 7, 2018 9:17 PM, Jeff Dyke <[hidden email]> wrote:

Hi.  I know this does not solve the problem, but curious if  you found a package that was compiled with 1.1.1 or compile it yourself.  Generally i like to avoid the later as everything is managed through salt, but am interested in TLSv1.3

Thanks,
Jeff

On Tue, Nov 6, 2018 at 1:19 PM Maxim Dounin <[hidden email]> wrote:
Hello!

On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:

> Hello, everyone.
>
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>
> Below is some info about my config.
>
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
>
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1  11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bi
 n/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>
> /etc/nginx/sites-available/default:
>
> ssl_session_cache shared:SSL:1m;
>
> server {
>
> ssl_early_data on;
> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> ssl_ecdh_curve secp521r1:secp384r1;
>
> }
>
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Any help would be much appreciated.

Make sure you have properly configured ssl_protocols in the
default server for the listen socket in question.  If unsure,
configure ssl_protocols at the http{} level.

Note well that testing using "openssl s_client" from the OpenSSL
library you've built nginx with is the most reliable approach, as it
ensures that proper TLSv1.3 variant is used by the client.

--
Maxim Dounin
_______________________________________________
nginx mailing list


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx