Hello!
On Mon, Nov 30, 2020 at 06:41:18PM +0100, Andreas Bartelt wrote:
> On 11/30/20 4:07 PM, Maxim Dounin wrote:
> > Hello!
> >
> > On Sun, Nov 29, 2020 at 04:01:07PM +0100, nginx@bartelt.name wrote:
> >
> >> I've noticed that nginx 1.18.0 always enables TLS 1.3 even if not
> >> configured to do so. I've observed this behavior on OpenBSD with (nginx
> >> 1.18.0 linked against LibreSSL 3.3.0) and on Ubuntu 20.04 (nginx 1.18.0
> >> linked against OpenSSL 1.1.1f). I don't know which release of nginx
> >> introduced this bug.
> >>
> >> From nginx.conf:
> >> ssl_protocols TLSv1.2;
> >> --> in my understanding, this config statement should only enable TLS
> >> 1.2 but not TLS 1.3. However, the observed behavior is that TLS 1.3 is
> >> implicitly enabled in addition to TLS 1.2.
> >
> > As long as "ssl_protocols TLSv1.2;" is the only ssl_protocols in
> > nginx configuration, TLSv1.3 shouldn't be enabled. Much like when
> > there are no "ssl_protocols" at all, as TLSv1.3 isn't enabled by
> > default (for now, at least up to and including nginx 1.19.5).
> >
>
> I've just retested this with my Ubuntu 20.04 based nginx test instance
> from yesterday (nginx 1.18.0 linked against OpenSSL 1.1.1f) and noticed
> that it works there as intended (i.e., "ssl_protocols TLSv1.2;" only
> enables TLS 1.2 but not TLS 1.3). I don't know what I did wrong there
> yesterday -- sorry for this.
>
> However, the problem persists on OpenBSD current with nginx 1.18.0
> (built from ports with default options which links against LibreSSL
> 3.3.0 from base). Setting "ssl_protocols TLSv1.2;" enables TLS 1.2 as
> well as TLS 1.3 there.
I don't see any problems when testing with LibreSSL 3.3.0 as
available on libressl.org and the very same configuration. So
it's probably something specific to your system.
Some possible reasons for the behaviour you are seeing, in no
particular order:
- Given that OpenBSD current and LibreSSL from base implies some
arbitrary version of LibreSSL, this might be something with the
changes present on your system but not in LibreSSL 3.3.0
release.
- There may be something with the port you are using to compile
nginx. Consider testing nginx compiled manually.
- You are testing the wrong server (the name resolves to a
different IP address, or the IP address is routed to a different
server). Make sure you are seeing connection on nginx side,
something like "return 200 $ssl_protocol;" in the appropriate
server block and making a "GET / HTTP/1.0" request in s_client
would be a good test.
- The nginx version running differs from the one on disk, and you
are running an nginx version older than 1.15.6 built with an old
LibreSSL without TLSv1.3 but running with LibreSSL 3.3.0 with
TLSv1.3 enabled. Check the "Server" header in the above test.
- There might be something wrong with headers on your system. The
behaviour observed might happen if SSL_OP_NO_TLSv1_3, TLS1_3_VERSION,
and SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version are
not defined, yet TLSv1.3 is present in the library.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
