no TLS1.3 with 1.15.5

Maxim Dounin mdounin at
Tue Nov 6 18:18:59 UTC 2018


On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:

> Hello, everyone.
> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
> Below is some info about my config.
> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
> nginx compile options: nginx/1.15.5 (Ubuntu)
> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> built with OpenSSL 1.1.1  11 Sep 2018
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
> /etc/nginx/sites-available/default:
> ssl_session_cache shared:SSL:1m;
> server {
> ssl_early_data on;
> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
> ssl_session_timeout 5m;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ecdh_curve secp521r1:secp384r1;
> }
> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and's test says TLSv1.3 is non-existent on the server.
> Any help would be much appreciated.

Make sure you have properly configured ssl_protocols in the 
default server for the listen socket in question.  If unsure, 
configure ssl_protocols at the http{} level.

Note well that testing using "openssl s_client" from the OpenSSL 
library you've built nginx with is the most reliable approach, as it 
ensures that proper TLSv1.3 variant is used by the client.

Maxim Dounin

More information about the nginx mailing list