Hello all professional brothers & sisters
I use Raspberry 3B+ as my web server,installed ubuntu server 19.10 eoan (32bit armh),
my nginx use this ppa version (1.17.8) :
https://launchpad.net/~ondrej/+archive/ubuntu/nginx-mainline
my openssl is version 1.1.1c
I want my site only run on TLSv1.3,so in my config file,I set it as :
ssl_protocols TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384;
but when I use nginx -t command test config file,it prompt me an error:
nginx: [emerg] SSL_CTX_set_cipher_list("TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
if I use TLSv1.2 TLSv1.3:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;
then use nginx -t command check again,it didn't prompt me any error:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
===========================================================
That's what I did to test,
A.)when I try these commands to check two TLS 1.3 ciphers,it show me those error:
openssl ciphers -v TLS-AES-256-GCM-SHA384
Error in cipher list
1992302608:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
openssl ciphers -v TLS-CHACHA20-POLY1305-SHA256
Error in cipher list
1992876048:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2549:
B.)If I try another cipher,no error show:
openssl ciphers -v ECDHE-ECDSA-CHACHA20-POLY1305
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
C.)use this command, openssl show it support tls1.3
root@ubuntu:/etc/nginx/sites-available# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
D.)remove nginx & openSSL and reinstall it agin, many times, it doesn't work
what's wrong with my nginx & openssl?please help.
say thank you first.