Hello!

On Fri, Jul 19, 2019 at 11:24:36AM -0700, PGNet Dev wrote:

> On 7/19/19 11:02 AM, Maxim Dounin wrote:
> > Hello!
> >
> > On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
> >
> >>>> And, if I change nginx to be 'TLSv1.3-only',
> >>>>
> >>>> - ssl_protocols TLSv1.3 TLSv1.2;
> >>>> - ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
> >>>> + ssl_protocols TLSv1.3;
> >>>> + ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";
> >>>>
> >>>> even the webserver config check FAILs,
> >>>>
> >>>> nginxconfcheck
> >>>> TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
> >>>> nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
> >>>>
> >>>> and the server fails to start.
> >>>
> >>> That's because the cipher string listed contains no valid ciphers.
> >>
> >>
> >> Sorry, I'm missing something :-/
> >>
> >> What's specifically "invalid" about the 3, listed ciphers?
> >>
> >> TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256
> >
> > There are no such ciphers in the OpenSSL.
> > Try it yourself:
> >
> > $ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256
> > Error in cipher list
> > 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:
> >
> > [...]
> >
>
> Then what are these lists?

You may want to re-read my initial answer and the ticket it
links to.

[...]

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx