Enabling TLS 1.0 / 1.1 on Debian Testing
kmansoft
nginx-forum at forum.nginx.org
Thu Nov 15 17:17:39 UTC 2018
Cross posting from https://unix.stackexchange.com/questions/481963, this
seems to be the better place to ask.
---
Just updated Debian from "stable" 9.* to "testing" 10.*.
Have nginx 1.14 - used to come from "stable backports" now included in
Debian itself.
Seeing a strange issue with TLS versions in nginx.
TLS 1.3 is enabled, and 1.2 is too, but I can't seem to get TLS 1.0 / 1.1
even though they're included in nginx configs.
https://www.htbridge.com/ssl/?id=QgSrZIuN
Oh and by the way, Dovecot running on same system still has TLS 1.0 - 1.1 -
1.2 - 1.3 all functional:
https://www.htbridge.com/ssl/?id=cSArIbQQ
relevant bits from nginx site config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers
kECDHE+CHACHA20:kECDHE+AESGCM:kDHE+AESGCM:kECDHE+AES+SHA:kDHE+AES+SHA:!AESCCM:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
I tried removing either ssl_protocols or ssl_ciphers or both, nothing
changed really.
Is this an intentional change in nginx - upstream or as packaged by Debian?
A change in openssl itself?
Any way I can enable all TLS versions from 1.0 and up to 1.3 in nginx at the
same time?
---
Found this in Debian news, basically they've disabled TLS 1.0 / 1.1 - apps
have to ask for these versions specifically:
https://packages.qa.debian.org/o/openssl/news/20170824T211015Z.html
* Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or
SSL_set_min_proto_version().
Is there some way nginx could accommodate this change and make it possible
to enable TLS 1.0 / 1.1?
Maybe consider adding a new config directive like the one used by Dovecot?
https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf#L55
It would still allow someone to only use TLS 1.2 and newer, or "TLS 1.0 and
newer" or "TLS 1.1 and newer" without getting overly verbose.
It would also work identical with both OpenSSL variations, with and without
TLS 1.3 support.
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281984,281984#msg-281984
More information about the nginx
mailing list