To clarify, I meant I don't run nginx.org's nginx server that they have.  ;)

The remaining IP tests by SSLLabs shows the same behavior -
https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&latest - so
it's just a case of these servers being configured to only use TLS 1.2. 
POSSIBLY they're using an older set of OpenSSL or similar libraries that
don't have TLS 1.3 yet, but it's also just possible it's disabled - TLS
1.3 isn't exactly the most 'accepted' protocol yet by certain policies
and standards, so that's a consideration too.


Thomas


On 1/22/21 1:04 AM, Thomas Ward wrote:
>
> So, I don't run the NGINX webserver, but I am pretty sure this is on
> the remote server to serve the protocol right.  SSLLabs test shows
> that TLS 1.3 is just not offered.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest
>
> There's three other IPs (one IPv4 and two IPv6) that will very likely
> reflect the same tests as well.
>
> So to answer your original question:
>
>  > What have I done wrong or if it is your problem?
>
> You didn't do anything wrong.  TLS 1.2 is the only protocol that's
> offered for SSL/TLS connections to the nginx.org site.
>
>
> Thomas
>
>
> On 1/21/21 11:50 PM, David Hu wrote:
>> So I have to downgrade to TLS v1.2. The full command input and the connection process can be shown as follows:
>> ./curl -vvvvv --http2-prior-knowledge --tlsv1.2https://nginx.org
>> * Trying 52.58.199.22:443...
>> * Connected to nginx.org (52.58.199.22) port 443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * successfully set certificate verify locations:
>> * CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt
>> * CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> * ALPN, server accepted to use http/1.1
>> * Server certificate:
>> * subject: CN=nginx.org
>> * start date: Oct 29 16:45:05 2020 GMT
>> * expire date: Jan 27 16:45:05 2021 GMT
>> * subjectAltName: host "nginx.org" matched cert's "nginx.org"
>> * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
>> * SSL certificate verify ok.
>>> GET / HTTP/1.1
>>> Host: nginx.org
>>> User-Agent: curl/7.74.0
>>> Accept: */*
>>>
>> * Mark bundle as not supporting multiuse
>> < HTTP/1.1 200 OK
>> < Server: nginx/1.19.0
>> < Date: Fri, 22 Jan 2021 04:43:32 GMT
>> < Content-Type: text/html; charset=utf-8
>> < Content-Length: 12676
>> < Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT
>> < Connection: keep-alive
>> < Keep-Alive: timeout=15
>> < ETag: "5fd8cf2c-3184"
>> < Accept-Ranges: bytes
>> <
>>
>>
>>
>> So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN is offering H2 and HTTP/1.1 but at the finally I only get the HTTP version HTTP/1.1 not H2. The same cURL specs and versions and specs as the above message. What have I done wrong or if it is your problem?
>>
>> Thanks again.
>> Regards,
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx