Welcome! Log In Create A New Profile

Re: Why does the nginx.org main site not supporting TLS v1.3?

Forum List Message List New Topic Print View

Thomas Ward

January 22, 2021 01:06AM

So, I don't run the NGINX webserver, but I am pretty sure this is on the
remote server to serve the protocol right. SSLLabs test shows that TLS
1.3 is just not offered.

https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest

There's three other IPs (one IPv4 and two IPv6) that will very likely
reflect the same tests as well.

So to answer your original question:

> What have I done wrong or if it is your problem?

You didn't do anything wrong. TLS 1.2 is the only protocol that's
offered for SSL/TLS connections to the nginx.org site.

Thomas

On 1/21/21 11:50 PM, David Hu wrote:
> So I have to downgrade to TLS v1.2. The full command input and the connection process can be shown as follows:
> ./curl -vvvvv --http2-prior-knowledge --tlsv1.2 https://nginx.org
> * Trying 52.58.199.22:443...
> * Connected to nginx.org (52.58.199.22) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt
> * CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server accepted to use http/1.1
> * Server certificate:
> * subject: CN=nginx.org
> * start date: Oct 29 16:45:05 2020 GMT
> * expire date: Jan 27 16:45:05 2021 GMT
> * subjectAltName: host "nginx.org" matched cert's "nginx.org"
> * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
> * SSL certificate verify ok.
>> GET / HTTP/1.1
>> Host: nginx.org
>> User-Agent: curl/7.74.0
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Server: nginx/1.19.0
> < Date: Fri, 22 Jan 2021 04:43:32 GMT
> < Content-Type: text/html; charset=utf-8
> < Content-Length: 12676
> < Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT
> < Connection: keep-alive
> < Keep-Alive: timeout=15
> < ETag: "5fd8cf2c-3184"
> < Accept-Ranges: bytes
> <
>
>
>
> So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN is offering H2 and HTTP/1.1 but at the finally I only get the HTTP version HTTP/1.1 not H2. The same cURL specs and versions and specs as the above message. What have I done wrong or if it is your problem?
>
> Thanks again.
> Regards,
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Re: Why does the nginx.org main site not supporting TLS v1.3?	Thomas Ward	January 22, 2021 01:06AM
Re: Why does the nginx.org main site not supporting TLS v1.3?	Thomas Ward	January 22, 2021 01:10AM
Re: Why does the nginx.org main site not supporting TLS v1.3?	Maxim Dounin	January 25, 2021 11:38AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 195

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018