Unable to activate TLS1.3

Taco de Wolff tacodewolff at gmail.com
Wed Mar 20 11:53:39 UTC 2024 

I figured it out. One of the servers that is listening on 443 uses
"ssl_reject_handshake on;" and thus I didn't define an ssl_certificate +
ssl_certificate_key + ssl_trusted_certificate as it is not (and should not
be) required. For some reason, this disabled TLS1.3 for all servers quite
unexpectedly. Adding all three variables and keeping the
ssl_reject_handshake, re-enabled TLS1.3 (eventhough TLS1.2 works fine in
both cases). Could this be a bug?

Kind regards,
Taco de Wolff


Op di 19 mrt 2024 om 09:39 schreef Taco de Wolff <tacodewolff at gmail.com>:

> Hi,
>
> I'm using Nginx 1.25.4 with the OpenSSL 1.1.1k FIPS build on CentOS Stream
> 8 (FIPS not enabled). I have checked that the OpenSSL library can connect
> to other services using TLS1.3 and Postfix + Dovecot work fine on TLS1.3 as
> well, but Nginx doesn't seem to enable TLS1.3 as reported by SSLLabs and by
> checking manually using:
>
> $ openssl s_client -connect domain.com:443 -tls1_3
> CONNECTED(00000003)
> 4027EC8EC57D0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:865:SSL alert number 70
>
> TLS1.2 works fine though, and I'm sure TLS1.3 used to work but I can't
> figure out what has changed. The relevant configuration:
>
>
> http {
>     # SSL
>     ssl_session_timeout 1d;
>     ssl_session_cache shared:SSL:32m;
>     ssl_session_tickets off;
>
>     # Diffie-Hellman parameter for DHE ciphersuites
>     ssl_dhparam /etc/nginx/dhparam.pem;
>
>     # SSL ciphers
>     ssl_protocols TLSv1.2 TLSv1.3;
>     ssl_ciphers
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
>     #ssl_prefer_server_ciphers on;
>
>     # OCSP Stapling
>     ssl_stapling on;
>     ssl_stapling_verify on;
>     #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
>     resolver 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220 valid=60s;
>     resolver_timeout 2s;
>
>     # HTTP3
>     http3_hq on;
>     quic_gso on;
>     quic_retry on;
>     #ssl_early_data on;
>
>     # ...
> }
>
> server {
>     listen 443 ssl;
>     listen 443 quic;
>     listen [::]:443 ssl;
>     listen [::]:443 quic;
>
>     http2 on;
>
>     # SSL
>     ssl_certificate         /etc/pki/lego/certificates/domain.com.crt;
>     ssl_certificate_key     /etc/pki/lego/certificates/domain.com.key;
>     ssl_trusted_certificate
> /etc/pki/lego/certificates/domain.com.issuer.crt;
>
>     # ...
> }
>
>
> I'm really at a loss and unsure how to proceed debugging this. What else
> could be the problem? Thank you for your time.
>
> Kind regards,
> Taco de Wolff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240320/4360faed/attachment.htm>

More information about the nginx mailing list