Welcome! Log In Create A New Profile

Advanced

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

Previous Message Next Message
Forum List Message List New Topic Print View
PGNet Dev
July 19, 2019 02:26PM
On 7/19/19 11:02 AM, Maxim Dounin wrote:
> Hello!
>
> On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
>
>>>> And, if I change nginx to be 'TLSv1.3-only',
>>>>
>>>> - ssl_protocols TLSv1.3 TLSv1.2;
>>>> - ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
>>>> + ssl_protocols TLSv1.3;
>>>> + ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";
>>>>
>>>> even the webserver config check FAILs,
>>>>
>>>> nginxconfcheck
>>>> TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
>>>> nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
>>>>
>>>> and the server fails to start.
>>>
>>> That's because the cipher string listed contains no valid ciphers.
>>
>>
>> Sorry, I'm missing something :-/
>>
>> What's specifically "invalid" about the 3, listed ciphers?
>>
>> TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256
>
> There are no such ciphers in the OpenSSL.
> Try it yourself:
>
> $ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256
> Error in cipher list
> 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:
>
> [...]
>

Then what are these lists?

https://wiki.openssl.org/index.php/TLS1.3

Ciphersuites


OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:


TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_128_CCM_SHA256

https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/

Ciphersuites


OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:


TLS13-AES-256-GCM-SHA384

TLS13-CHACHA20-POLY1305-SHA256

TLS13-AES-128-GCM-SHA256

TLS13-AES-128-CCM-8-SHA256

TLS13-AES-128-CCM-SHA256



"$ openssl ciphers -s -v ECDHE
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE and additionally all of the default TLSv1.3 ciphersuites."

openssl ciphers -s -v ECDHE
>> TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
>> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
>> TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
...


openssl ciphers -tls1_3
>> TLS_AES_256_GCM_SHA384:
>> TLS_CHACHA20_POLY1305_SHA256:
>> TLS_AES_128_GCM_SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES2
56-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

openssl ciphers TLS13-CHACHA20-POLY1305-SHA256
Error in cipher list
140418731745728:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

openssl ciphers TLS-CHACHA20-POLY1305-SHA256
Error in cipher list
140126717628864:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

openssl ciphers TLS13_CHACHA20_POLY1305_SHA256
Error in cipher list
139978279444928:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

openssl ciphers TLS_CHACHA20_POLY1305_SHA256
Error in cipher list
139921842241984:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:


If your argument for TLSv1.3 usage in nginx is as-correctly-used in openssl, that's fine.

Can you provide a correct nginx example of TLS13-only usage of CHACHA20-POLY1305-SHA256 cipher?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

PGNet Dev July 19, 2019 11:40AM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

Maxim Dounin July 19, 2019 12:30PM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

PGNet Dev July 19, 2019 01:54PM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

Maxim Dounin July 19, 2019 02:04PM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

PGNet Dev July 19, 2019 02:26PM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

Maxim Dounin July 19, 2019 02:42PM

Re: nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

PGNet Dev July 19, 2019 02:56PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 309
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready