no TLS1.3 with 1.15.5

Bogdan bf.014 at protonmail.com
Sat Nov 10 06:45:12 UTC 2018


Hello!

I am sorry for the late aswer. I never install any compiled packages except for the ones that can be pulled from Ubuntu's official repositories. Since 1.15.5 was not available yet (and the one that was available was compiled against a SSL version which didn't support TLS1.3), I had retrieve the source code for both and do all the hard and fun work myself. :)

Seeing how it works, I believe that it's worth all the trouble.

Bogdan

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, November 7, 2018 9:17 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:

> Hi.  I know this does not solve the problem, but curious if  you found a package that was compiled with 1.1.1 or compile it yourself.  Generally i like to avoid the later as everything is managed through salt, but am interested in TLSv1.3
>
> Thanks,
> Jeff
>
> On Tue, Nov 6, 2018 at 1:19 PM Maxim Dounin <mdounin at mdounin.ru> wrote:
>
>> Hello!
>>
>> On Sat, Nov 03, 2018 at 06:14:15PM +0000, Bogdan via nginx wrote:
>>
>>> Hello, everyone.
>>>
>>> I am stuck with a fresh installation which runs absolutely fine except it doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>>>
>>> Below is some info about my config.
>>>
>>> Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic
>>>
>>> nginx compile options: nginx/1.15.5 (Ubuntu)
>>> built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
>>> built with OpenSSL 1.1.1  11 Sep 2018
>>> TLS SNI support enabled
>>> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_geoip_module=dynamic --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bi
>>  n/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --without-http_empty_gif_module --without-http_browser_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-debug
>>>
>>> /etc/nginx/sites-available/default:
>>>
>>> ssl_session_cache shared:SSL:1m;
>>>
>>> server {
>>>
>>> ssl_early_data on;
>>> ssl_dhparam /etc/nginx/ssl/dh4096.pem;
>>> ssl_session_timeout 5m;
>>> ssl_stapling on;
>>> ssl_stapling_verify on;
>>> ssl_prefer_server_ciphers on;
>>> ssl_protocols TLSv1.2 TLSv1.3;
>>> ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
>>> ssl_ecdh_curve secp521r1:secp384r1;
>>>
>>> }
>>>
>>> I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is non-existent on the server.
>>>
>>> Any help would be much appreciated.
>>
>> Make sure you have properly configured ssl_protocols in the
>> default server for the listen socket in question.  If unsure,
>> configure ssl_protocols at the http{} level.
>>
>> Note well that testing using "openssl s_client" from the OpenSSL
>> library you've built nginx with is the most reliable approach, as it
>> ensures that proper TLSv1.3 variant is used by the client.
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20181110/c0dec685/attachment-0001.html>


More information about the nginx mailing list