Welcome! Log In Create A New Profile

Advanced

Enabling TLS 1.0 / 1.1 on Debian Testing

November 15, 2018 12:17PM
Cross posting from https://unix.stackexchange.com/questions/481963, this seems to be the better place to ask.

---

Just updated Debian from "stable" 9.* to "testing" 10.*.

Have nginx 1.14 - used to come from "stable backports" now included in Debian itself.

Seeing a strange issue with TLS versions in nginx.

TLS 1.3 is enabled, and 1.2 is too, but I can't seem to get TLS 1.0 / 1.1 even though they're included in nginx configs.

https://www.htbridge.com/ssl/?id=QgSrZIuN

Oh and by the way, Dovecot running on same system still has TLS 1.0 - 1.1 - 1.2 - 1.3 all functional:

https://www.htbridge.com/ssl/?id=cSArIbQQ

relevant bits from nginx site config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers kECDHE+CHACHA20:kECDHE+AESGCM:kDHE+AESGCM:kECDHE+AES+SHA:kDHE+AES+SHA:!AESCCM:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;

I tried removing either ssl_protocols or ssl_ciphers or both, nothing changed really.

Is this an intentional change in nginx - upstream or as packaged by Debian? A change in openssl itself?

Any way I can enable all TLS versions from 1.0 and up to 1.3 in nginx at the same time?

---

Found this in Debian news, basically they've disabled TLS 1.0 / 1.1 - apps have to ask for these versions specifically:

https://packages.qa.debian.org/o/openssl/news/20170824T211015Z.html


* Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().

Is there some way nginx could accommodate this change and make it possible to enable TLS 1.0 / 1.1?

Maybe consider adding a new config directive like the one used by Dovecot?

https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf#L55

It would still allow someone to only use TLS 1.2 and newer, or "TLS 1.0 and newer" or "TLS 1.1 and newer" without getting overly verbose.

It would also work identical with both OpenSSL variations, with and without TLS 1.3 support.
Subject Author Posted

Enabling TLS 1.0 / 1.1 on Debian Testing

kmansoft November 15, 2018 12:17PM

Re: Enabling TLS 1.0 / 1.1 on Debian Testing

Maxim Dounin November 15, 2018 01:26PM

Re: Enabling TLS 1.0 / 1.1 on Debian Testing

kmansoft November 16, 2018 04:48AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 141
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready