Welcome! Log In Create A New Profile

Advanced

Re: NGINX only enabling TLS1.2 ?

Previous Message Next Message
Forum List Message List New Topic Print View
Eric Germann
April 17, 2018 09:02PM
Piling on this, I built nginx-1.14.0 from source with openssl-1.1.1-pre5 compiled in.

The macro in the header says it’s at TLS 1.3 Draft 26

Chrome 66 claims to support Draft 23 (via chrome://flags <chrome://flags>)?

Neither Cloudflare nor Chrome report TLS 1.3

Yet when I do this from the command line for testing (openssl s_client host:443 http://7layers.semperen.com:443/)

I get

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384

ssl_ciphers are set to

TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128
-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:ECD
HE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECD
HE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AE
S128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:HIG
H:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;

My questions:

1. Do the drafts try to negotiate to a common draft?

2. the server is compiled statically to the source for openssl that the openssl command is executed from. I’d think they would be able to negotiate the first protocol listed.

3. Why does the protocol come up (even with the openssl command) as TLS_AES_256_GCM_SHA384 and not the TLS13 variants? ChaCha20-Poly1305 works in TLS1.2 just fine.

Thoughts?

EKG



> On Apr 17, 2018, at 1:45 PM, Reinis Rozitis <r@roze.lv <mailto:r@roze.lv>> wrote:
>
>> Is there any reason why SSLlabs would report only 1.2 as being available despite the config showing otherwise ?
>
> Also SSLLabs supports only tls 1.3 draft18 while for example OpenSSL 1.1.1pre4 is draft 28, so it won't show that the server supports tls1.3.
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

NGINX only enabling TLS1.2 ?

Tim Smith April 17, 2018 11:20AM

Re: NGINX only enabling TLS1.2 ?

A. Schulze April 17, 2018 11:42AM

RE: NGINX only enabling TLS1.2 ?

Reinis Rozitis April 17, 2018 01:48PM

Re: NGINX only enabling TLS1.2 ?

Eric Germann April 17, 2018 09:02PM

RE: NGINX only enabling TLS1.2 ?

Reinis Rozitis April 18, 2018 03:32AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

merlock
Guests: 262
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready