Welcome! Log In Create A New Profile

Advanced

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 03, 2020 05:22PM
Hello!

On Sun, May 03, 2020 at 07:04:49PM +0200, Vincent Blondel wrote:

> Hello,
>
> Trying to get CHACHA20-POLY1305 Server Preference ... Working with tlsv1.2
> but NOK with tlsv1.3
>
> ** Tried with a Custom OpenSSL.conf ServerPreference,PrioritizeChaCha
>
> OPENSSL_CONF=$HOME/conf/openssl.conf $HOME/bin/nginx.exe
>
> [default_conf]
> ssl_conf = ssl_sect
> [ssl_sect]
> system_default = system_default_sect
> [system_default_sect]
> Ciphersuites =
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
> Options = ServerPreference,PrioritizeChaCha
>
> ** Tried by patching src/event/ngx_event_openssl.c
>
> - SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> + SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
> SSL_OP_PRIORITIZE_CHACHA);
>
> ** Tried by patching src/event/ngx_event_openssl.c

There is no need to patch anything as long as you have Options set
in openssl.conf.

> nginx -s reload
> nginx: [emerg]
> SSL_CTX_set_cipher_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256")
> failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
> match)
>
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.3;
> ssl_ciphers
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256;
>
> my config is working like a charm with tlsv1.2 but i cannot get CHACHA20
> prioritized with tlsv1.3 ... hence my question ...how to do with nginx
> version: nginx/1.18.0 ?

The problem is that OpenSSL's SSL_CTX_set_cipher_list() does not
recognize any ciphers in the cipher list you've provided in the
ssl_ciphers directive, hence the error. You have to provide at
least one valid cipher.

Note that OpenSSL's SSL_CTX_set_cipher_list() does not recognize
any TLSv1.3 ciphers (and instead enables them by default), hence
you have to use at least one TLSv1.2 cipher listed.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Vincent Blondel May 03, 2020 01:06PM

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Maxim Dounin May 03, 2020 05:22PM

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Vincent Blondel May 04, 2020 01:50AM

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Maxim Dounin May 04, 2020 11:56AM

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Vincent Blondel May 04, 2020 02:12PM

Re: CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Maxim Dounin May 04, 2020 07:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 301
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready