Welcome! Log In Create A New Profile

Advanced

I can't use TLS1.3 only in my site,please help

Posted by cwyin7788 
I can't use TLS1.3 only in my site,please help
April 17, 2020 09:57AM
Hello all professional brothers & sisters

I use Raspberry 3B+ as my web server,installed ubuntu server 19.10 eoan (32bit armh),

my nginx use this ppa version (1.17.8) :
https://launchpad.net/~ondrej/+archive/ubuntu/nginx-mainline

my openssl is version 1.1.1c

I want my site only run on TLSv1.3,so in my config file,I set it as :

ssl_protocols TLSv1.3;

ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384;

but when I use nginx -t command test config file,it prompt me an error:
nginx: [emerg] SSL_CTX_set_cipher_list("TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)

if I use TLSv1.2 TLSv1.3:

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;

then use nginx -t command check again,it didn't prompt me any error:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

===========================================================

That's what I did to test,

A.)when I try these commands to check two TLS 1.3 ciphers,it show me those error:

openssl ciphers -v TLS-AES-256-GCM-SHA384
Error in cipher list
1992302608:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:

openssl ciphers -v TLS-CHACHA20-POLY1305-SHA256
Error in cipher list
1992876048:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:

B.)If I try another cipher,no error show:

openssl ciphers -v ECDHE-ECDSA-CHACHA20-POLY1305
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD

C.)use this command, openssl show it support tls1.3

root@ubuntu:/etc/nginx/sites-available# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

D.)remove nginx & openSSL and reinstall it agin, many times, it doesn't work

what's wrong with my nginx & openssl?please help.

say thank you first.
Re: I can't use TLS1.3 only in my site,please help
April 21, 2020 09:27AM
TLS 1.3 requires that you specify the following AEAD (Authenticated Encryption with Associated Data) ciphers:

Try remove from nginx configuration ECDHE-ECDSA-CHACHA20 POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES

and leve those three:
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256

You may tweak the order, but you should activate all three of the above.

for more information:
https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/



Edited 1 time(s). Last edit at 04/21/2020 09:33AM by Boris_Krizman.
Re: I can't use TLS1.3 only in my site,please help
April 21, 2020 10:00AM
This i found on github from user kaduk when i google your error message from openssl command.

The TLS 1.3 ciphersuites are qualitatively different than ciphersuites prior to TLS 1.3 (e.g., in that the TLS 1.2 codepoints specify a key exchange mechanism but in TLS 1.3 that is separately negotiated). You have to use the -ciphersuites argument to configure them manually.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready