<div dir="ltr"><div>thanks for the update Maxim but unfortunately still nok ...</div><div><br></div><div>my openssl.conf</div><div><br></div><div>[default_conf]<br>ssl_conf = ssl_sect<br>[ssl_sect]<br>system_default = system_default_sect<br>[system_default_sect]<br>Options = ServerPreference,PrioritizeChaCha<br>[req]<br>distinguished_name = req_distinguished_name<br>req_extensions = v3_req<br>prompt = no<br>[req_distinguished_name]<br>C = DE<br>CN = <a href="http://www.example.com">www.example.com</a><br>[v3_req]<br>keyUsage = keyEncipherment, dataEncipherment<br>extendedKeyUsage = serverAuth<br>subjectAltName = @alt_names<br>[alt_names]<br>DNS.1 = <a href="http://www.example.com">www.example.com</a></div><div><br></div><div>my nginx.conf</div><div><br></div><div> ssl_prefer_server_ciphers on;<br> ssl_protocols TLSv1.3;<br> ssl_ciphers ECDHE+CHACHA20:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305;</div><div><br></div><div>nginx is no longe crying on ssl_ciphers syntax but CHACHA20 is still NOT the Cipher challenged :-(</div><div><br></div><div>-V.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, May 3, 2020 at 11:21 PM Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
On Sun, May 03, 2020 at 07:04:49PM +0200, Vincent Blondel wrote:<br>
<br>
> Hello,<br>
> <br>
> Trying to get CHACHA20-POLY1305 Server Preference ... Working with tlsv1.2<br>
> but NOK with tlsv1.3<br>
> <br>
> ** Tried with a Custom OpenSSL.conf ServerPreference,PrioritizeChaCha<br>
> <br>
> OPENSSL_CONF=$HOME/conf/openssl.conf $HOME/bin/nginx.exe<br>
> <br>
> [default_conf]<br>
> ssl_conf = ssl_sect<br>
> [ssl_sect]<br>
> system_default = system_default_sect<br>
> [system_default_sect]<br>
> Ciphersuites =<br>
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384<br>
> Options = ServerPreference,PrioritizeChaCha<br>
> <br>
> ** Tried by patching src/event/ngx_event_openssl.c<br>
> <br>
> - SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);<br>
> + SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |<br>
> SSL_OP_PRIORITIZE_CHACHA);<br>
> <br>
> ** Tried by patching src/event/ngx_event_openssl.c<br>
<br>
There is no need to patch anything as long as you have Options set <br>
in openssl.conf.<br>
<br>
> nginx -s reload<br>
> nginx: [emerg]<br>
> SSL_CTX_set_cipher_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256")<br>
> failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher<br>
> match)<br>
> <br>
> ssl_prefer_server_ciphers on;<br>
> ssl_protocols TLSv1.3;<br>
> ssl_ciphers<br>
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256;<br>
> <br>
> my config is working like a charm with tlsv1.2 but i cannot get CHACHA20<br>
> prioritized with tlsv1.3 ... hence my question ...how to do with nginx<br>
> version: nginx/1.18.0 ?<br>
<br>
The problem is that OpenSSL's SSL_CTX_set_cipher_list() does not <br>
recognize any ciphers in the cipher list you've provided in the <br>
ssl_ciphers directive, hence the error. You have to provide at <br>
least one valid cipher.<br>
<br>
Note that OpenSSL's SSL_CTX_set_cipher_list() does not recognize <br>
any TLSv1.3 ciphers (and instead enables them by default), hence <br>
you have to use at least one TLSv1.2 cipher listed.<br>
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>