Taco de Wolff
March 19, 2024 08:40AM

I'm using Nginx 1.25.4 with the OpenSSL 1.1.1k FIPS build on CentOS Stream
8 (FIPS not enabled). I have checked that the OpenSSL library can connect
to other services using TLS1.3 and Postfix + Dovecot work fine on TLS1.3 as
well, but Nginx doesn't seem to enable TLS1.3 as reported by SSLLabs and by
checking manually using:

$ openssl s_client -connect domain.com:443 -tls1_3
4027EC8EC57D0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:865:SSL alert number 70

TLS1.2 works fine though, and I'm sure TLS1.3 used to work but I can't
figure out what has changed. The relevant configuration:

http {
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:32m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;

# SSL ciphers
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver valid=60s;
resolver_timeout 2s;

http3_hq on;
quic_gso on;
quic_retry on;
#ssl_early_data on;

# ...

server {
listen 443 ssl;
listen 443 quic;
listen [::]:443 ssl;
listen [::]:443 quic;

http2 on;

ssl_certificate /etc/pki/lego/certificates/domain.com.crt;
ssl_certificate_key /etc/pki/lego/certificates/domain.com.key;

# ...

I'm really at a loss and unsure how to proceed debugging this. What else
could be the problem? Thank you for your time.

Kind regards,
Taco de Wolff
nginx mailing list
Subject Author Posted

Unable to activate TLS1.3

Taco de Wolff March 19, 2024 08:40AM

Re: Unable to activate TLS1.3

Taco de Wolff March 20, 2024 07:56AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 337
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready