[PATCH 0 of 3] QUIC ciphers cleanup and CCM support
Sergey Kandaurov
pluknet at nginx.com
Fri Jun 16 23:44:38 UTC 2023
> On 9 Jun 2023, at 11:12, Roman Arutyunyan <arut at nginx.com> wrote:
>
> Patches 1 & 2 do minor cleanup in encryption code.
>
> Patch 3 adds TLS_AES_128_CCM_SHA256 support to QUIC, which currently is the
> only cipher suite not supported by nginx QUIC implementation. It's disabled
> by default in OpenSSL and can be enabled by the following directive:
>
> ssl_conf_command Ciphersuites TLS_AES_128_CCM_SHA256;
Note that it is disabled in Crome and Firefox, further limiting its use.
https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=73
https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=80
(same for FF 114 and Chrome 114 latest versions).
It appears to be enabled though in RHEL and derivatives:
https://www.redhat.com/en/blog/transport-layer-security-version-13-red-hat-enterprise-linux-8
/etc/crypto-policies/back-ends/opensslcnf.config:
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
--
Sergey Kandaurov
More information about the nginx-devel
mailing list