Welcome! Log In Create A New Profile


Re: no TLS1.3 with 1.15.5

Maxim Dounin
November 06, 2018 01:20PM

On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:

> Hello, everyone.
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
> Below is some info about my config.
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1 11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bi
n/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
> /etc/nginx/sites-available/default:
> ssl_session_cache shared:SSL:1m;
> server {
> ssl_early_data on;
> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ecdh_curve secp521r1:secp384r1;
> }
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
> Any help would be much appreciated.

Make sure you have properly configured ssl_protocols in the
default server for the listen socket in question. If unsure,
configure ssl_protocols at the http{} level.

Note well that testing using "openssl s_client" from the OpenSSL
library you've built nginx with is the most reliable approach, as it
ensures that proper TLSv1.3 variant is used by the client.

Maxim Dounin
nginx mailing list
Subject Author Posted

Re: no TLS1.3 with 1.15.5

Maxim Dounin November 06, 2018 01:20PM

Re: no TLS1.3 with 1.15.5

jeffdyke November 07, 2018 02:18PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready