I can't use TLS1.3 only in my site,please help
Posted by cwyin7788
|
I can't use TLS1.3 only in my site,please help April 17, 2020 09:57AM |
Registered: 4 years ago Posts: 1 |
Hello all professional brothers & sisters
I use Raspberry 3B+ as my web server,installed ubuntu server 19.10 eoan (32bit armh),
my nginx use this ppa version (1.17.8) :
https://launchpad.net/~ondrej/+archive/ubuntu/nginx-mainline
my openssl is version 1.1.1c
I want my site only run on TLSv1.3,so in my config file,I set it as :
ssl_protocols TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384;
but when I use nginx -t command test config file,it prompt me an error:
nginx: [emerg] SSL_CTX_set_cipher_list("TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
if I use TLSv1.2 TLSv1.3:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;
then use nginx -t command check again,it didn't prompt me any error:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
===========================================================
That's what I did to test,
A.)when I try these commands to check two TLS 1.3 ciphers,it show me those error:
openssl ciphers -v TLS-AES-256-GCM-SHA384
Error in cipher list
1992302608:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
openssl ciphers -v TLS-CHACHA20-POLY1305-SHA256
Error in cipher list
1992876048:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
B.)If I try another cipher,no error show:
openssl ciphers -v ECDHE-ECDSA-CHACHA20-POLY1305
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
C.)use this command, openssl show it support tls1.3
root@ubuntu:/etc/nginx/sites-available# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
D.)remove nginx & openSSL and reinstall it agin, many times, it doesn't work
what's wrong with my nginx & openssl?please help.
say thank you first.
I use Raspberry 3B+ as my web server,installed ubuntu server 19.10 eoan (32bit armh),
my nginx use this ppa version (1.17.8) :
https://launchpad.net/~ondrej/+archive/ubuntu/nginx-mainline
my openssl is version 1.1.1c
I want my site only run on TLSv1.3,so in my config file,I set it as :
ssl_protocols TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384;
but when I use nginx -t command test config file,it prompt me an error:
nginx: [emerg] SSL_CTX_set_cipher_list("TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
if I use TLSv1.2 TLSv1.3:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;
then use nginx -t command check again,it didn't prompt me any error:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
===========================================================
That's what I did to test,
A.)when I try these commands to check two TLS 1.3 ciphers,it show me those error:
openssl ciphers -v TLS-AES-256-GCM-SHA384
Error in cipher list
1992302608:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
openssl ciphers -v TLS-CHACHA20-POLY1305-SHA256
Error in cipher list
1992876048:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
B.)If I try another cipher,no error show:
openssl ciphers -v ECDHE-ECDSA-CHACHA20-POLY1305
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
C.)use this command, openssl show it support tls1.3
root@ubuntu:/etc/nginx/sites-available# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
D.)remove nginx & openSSL and reinstall it agin, many times, it doesn't work
what's wrong with my nginx & openssl?please help.
say thank you first.
|
Re: I can't use TLS1.3 only in my site,please help April 21, 2020 09:27AM |
Registered: 4 years ago Posts: 4 |
TLS 1.3 requires that you specify the following AEAD (Authenticated Encryption with Associated Data) ciphers:
Try remove from nginx configuration ECDHE-ECDSA-CHACHA20 POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
and leve those three:
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256
You may tweak the order, but you should activate all three of the above.
for more information:
https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
Edited 1 time(s). Last edit at 04/21/2020 09:33AM by Boris_Krizman.
Try remove from nginx configuration ECDHE-ECDSA-CHACHA20 POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
and leve those three:
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256
You may tweak the order, but you should activate all three of the above.
for more information:
https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
Edited 1 time(s). Last edit at 04/21/2020 09:33AM by Boris_Krizman.
|
Re: I can't use TLS1.3 only in my site,please help April 21, 2020 10:00AM |
Registered: 4 years ago Posts: 4 |
This i found on github from user kaduk when i google your error message from openssl command.
The TLS 1.3 ciphersuites are qualitatively different than ciphersuites prior to TLS 1.3 (e.g., in that the TLS 1.2 codepoints specify a key exchange mechanism but in TLS 1.3 that is separately negotiated). You have to use the -ciphersuites argument to configure them manually.
The TLS 1.3 ciphersuites are qualitatively different than ciphersuites prior to TLS 1.3 (e.g., in that the TLS 1.2 codepoints specify a key exchange mechanism but in TLS 1.3 that is separately negotiated). You have to use the -ciphersuites argument to configure them manually.
Sorry, only registered users may post in this forum.
Online Users
Guests:
179
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|