Hello!

On Mon, May 04, 2020 at 08:10:38PM +0200, Vincent Blondel wrote:

> I just copy/pasted/replaced the content of my openssl.conf with the
> proposal in this mail ... still OK with tslv1.2 and NOK with tlsv1.3 ...
>
> openssl is up to date and seems working fine ...

Some things to consider:

- Make sure the openssl.conf you are editing is the one which is
actually used. No errors are produced if loading openssl conf
fails, and this somewhat complicates things.

Given that your first message in this thread suggests you are
trying to do this on Windows, trying to use variables when
starting nginx might complicate things.

Also it might not be trivial to trace if the file is actually
used (on unix you can use things like ktrace / strace / truss).

- Make sure there are no non-text things in the openssl.conf such
as byte order marks. Some editors tend to add them, and this
often breaks things.

- Make sure you are testing things correctly. Testing cipher
preference, especially for TLSv1.3 ciphers, might be
non-trivial.

Simplier test might be to disable some Ciphersuites in the
openssl.conf, and make sure these are actually disabled. And
once you see them disabled, start playing with PrioritizeChaCha.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx