NGINX only enabling TLS1.2 ?

Eric Germann ekgermann at semperen.com
Wed Apr 18 01:01:03 UTC 2018


Piling on this, I built nginx-1.14.0 from source with openssl-1.1.1-pre5 compiled in.

The macro in the header says it’s at TLS 1.3 Draft 26

Chrome 66 claims to support Draft 23 (via chrome://flags <chrome://flags>)?

Neither Cloudflare nor Chrome report TLS 1.3

Yet when I do this from the command line for testing (openssl s_client host:443 <http://7layers.semperen.com:443/>)

I get

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

ssl_ciphers are set to

TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128
-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:ECD
HE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECD
HE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AE
S128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:HIG
H:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;

My questions:

1.	Do the drafts try to negotiate to a common draft?

2.	the server is compiled statically to the source for openssl that the openssl command is executed from.  I’d think they would be able to negotiate the first protocol listed.

3.	Why does the protocol come up (even with the openssl command) as TLS_AES_256_GCM_SHA384 and not the TLS13 variants?  ChaCha20-Poly1305 works in TLS1.2 just fine.

Thoughts?

EKG



> On Apr 17, 2018, at 1:45 PM, Reinis Rozitis <r at roze.lv <mailto:r at roze.lv>> wrote:
> 
>> Is there any reason why SSLlabs would report only 1.2 as being available despite the config showing otherwise ?
> 
> Also SSLLabs supports only tls 1.3 draft18 while for example OpenSSL 1.1.1pre4 is draft 28, so it won't show that the server supports tls1.3.
> 
> rr
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <mailto:nginx at nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180417/d426bea2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180417/d426bea2/attachment.bin>


More information about the nginx mailing list