<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Piling on this, I built nginx-1.14.0 from source with openssl-1.1.1-pre5 compiled in.<div class=""><br class=""></div><div class="">The macro in the header says it’s at TLS 1.3 Draft 26</div><div class=""><br class=""></div><div class="">Chrome 66 claims to support Draft 23 (via <a href="chrome://flags" class="">chrome://flags</a>)?</div><div class=""><br class=""></div><div class="">Neither Cloudflare nor Chrome report TLS 1.3</div><div class=""><br class=""></div><div class="">Yet when I do this from the command line for testing (openssl s_client <i class="">host</i><a href="http://7layers.semperen.com:443" class="">:443</a>)</div><div class=""><br class=""></div><div class="">I get </div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384</div></div><div class=""><div class="">Server public key is 384 bit</div></div><div class=""><div class="">Secure Renegotiation IS NOT supported</div></div><div class=""><div class="">Compression: NONE</div></div><div class=""><div class="">Expansion: NONE</div></div><div class=""><div class="">No ALPN negotiated</div></div><div class=""><div class="">Early data was not sent</div></div><div class=""><div class="">SSL-Session:</div></div><div class=""><div class=""> Protocol : TLSv1.3</div></div><div class=""><div class=""> Cipher : TLS_AES_256_GCM_SHA384</div></div></blockquote><div class=""><br class=""></div><div class="">ssl_ciphers are set to</div><div class=""><br class=""></div><div class=""><div class="">TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128</div><div class="">-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-</div><div class="">RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:ECD</div><div class="">HE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECD</div><div class="">HE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AE</div><div class="">S128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:HIG</div><div class="">H:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;</div></div><div class=""><br class=""></div><div class="">My questions:</div><div class=""><br class=""></div><div class="">1.<span class="Apple-tab-span" style="white-space:pre"> </span>Do the drafts try to negotiate to a common draft?</div><div class=""><br class=""></div><div class="">2.<span class="Apple-tab-span" style="white-space:pre"> </span>the server is compiled statically to the source for openssl that the openssl command is executed from. I’d think <i class="">they</i> would be able to negotiate the first protocol listed.</div><div class=""><br class=""></div><div class="">3.<span class="Apple-tab-span" style="white-space:pre"> </span>Why does the protocol come up (even with the openssl command) as TLS_AES_256_GCM_SHA384 and not the TLS13 variants? ChaCha20-Poly1305 works in TLS1.2 just fine.</div><div class=""><br class=""></div><div class="">Thoughts?</div><div class=""><br class=""></div><div class="">EKG</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 17, 2018, at 1:45 PM, Reinis Rozitis <<a href="mailto:r@roze.lv" class="">r@roze.lv</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><blockquote type="cite" class="">Is there any reason why SSLlabs would report only 1.2 as being available despite the config showing otherwise ?<br class=""></blockquote><br class="">Also SSLLabs supports only tls 1.3 draft18 while for example OpenSSL 1.1.1pre4 is draft 28, so it won't show that the server supports tls1.3.<br class=""><br class="">rr <br class=""><br class="">_______________________________________________<br class="">nginx mailing list<br class=""><a href="mailto:nginx@nginx.org" class="">nginx@nginx.org</a><br class=""><a href="http://mailman.nginx.org/mailman/listinfo/nginx" class="">http://mailman.nginx.org/mailman/listinfo/nginx</a><br class=""></div></div></blockquote></div><br class=""></div></body></html>