no TLS1.3 with 1.15.5

Bogdan bf.014 at protonmail.com
Sun Nov 4 19:10:06 UTC 2018 

Hi, Andreas!


I disabled NPN (Next Protocol Negotiation) because, as far as I know (not very far and it comes from what I've read, since I am not an expert), ALPN with HTTP/2 is more efficient and offers lower latency. Google also dropped support for NPN in their Chrome browser.

Indeed I tried to disable as many lines as possible, but the compiling options for nginx weren't the culprit. The distribution's openssl was also compiled from scratch (v1.1.1), so there was no chance that on my system I was been using versions of software which were not able to offer TLS1.3 support.

The problem was that in /etc/nginx/nginx.conf I had this line which I missed:

ssl_protocols TLSv1.2;

It was a configuration error on my part, so updating the line as follows solved the problem:

ssl_protocols TLSv1.2 TLSv1.3;

A great trouble for a only a few missing characters, but once the trouble is gone, the server runs greatly. :)



Thank you for your suggestions!

Bogdan




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, November 4, 2018 2:31 PM, A. Schulze <sca at andreasschulze.de> wrote:

> Am 03.11.18 um 19:14 schrieb Bogdan via nginx:
>
> > Hello, everyone.
> > I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
> > Below is some info about my config.
> > Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
> > nginx compile options: nginx/1.15.5 (Ubuntu)
> > built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> > built with OpenSSL 1.1.1  11 Sep 2018
> > TLS SNI support enabled
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1
> > --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>
> Hello Bogdan,
>
> while I have not really a helpful suggestion for you I noticed you disabled "nextprotoneg" for openssl.
> May I kindly ask why you do so?
>
> > /etc/nginx/sites-available/default:
> > ssl_session_cache shared:SSL:1m;
> > server {
> > ssl_early_data on;
>
> that one I did not know, so thanks for the hint.
>
> > ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> > ssl_session_timeout 5m;
> > ssl_stapling on;
> > ssl_stapling_verify on;
> > ssl_prefer_server_ciphers on;
> > ssl_protocols TLSv1.2 TLSv1.3;
> > ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
> > ssl_ecdh_curve secp521r1:secp384r1;
>
> try to disable as many option as possible. I would start leaving ssl_dhparam, stapling, ciphers and curve options on defaults.
>
> > }
> > I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>
> Also using "openssl s_client" is a good method for measurement.
>
> > Any help would be much appreciated.
>
> are you sure, nginx is really not build against distribution's openssl not supporting TLS1.3?
>
> > Bogdan
>
> Good luck!
> Andreas
>
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list