Welcome! Log In Create A New Profile

Advanced

Re: TLS 1.3 and ssl_reject_handshake

Maxim Dounin
December 23, 2020 11:40AM
Hello!

On Sat, Dec 19, 2020 at 05:04:36AM -0500, graxlop wrote:

> I'm using nginx 1.19.6 and when enabling "ssl_reject_handshake" in the top
> server block, it will disable TLS 1.3 if no certificate is included in the
> same server block or in the http block.
>
> server {
> listen 443 ssl;
> ssl_reject_handshake on;
> }
>
> server {
> listen 443 http2 ssl;
> server_name test.com;
> root /home/test;
>
> ssl_certificate ssl/rsa.crt;
> ssl_certificate_key ssl/rsa.key;
> }

This is a bug in OpenSSL. This bug is already fixed and the fix
is expected to be available in the next OpenSSL release. Details
can be found here:

https://trac.nginx.org/nginx/ticket/2071
https://github.com/openssl/openssl/issues/13291

The most simple workaround is to define a dummy certificate for
the server block with ssl_reject_handshake. This certificate
won't be used, but will prevent OpenSSL from incorrectly disabling
TLSv1.3.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

TLS 1.3 and ssl_reject_handshake

graxlop December 19, 2020 05:04AM

Re: TLS 1.3 and ssl_reject_handshake

Maxim Dounin December 23, 2020 11:40AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 62
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready