nginx 1.17.3 and TLSv1.3

Maxim Dounin mdounin at mdounin.ru
Fri Aug 16 18:32:40 UTC 2019


Hello!

On Fri, Aug 16, 2019 at 02:15:22PM -0400, benztoy wrote:

> I want to run two nginx services on one host. They are nginxA  and nginxB
> nginxA listening on https443 port. Only the tslv1.3 protocol is available.
> The configuration file is as follows:

[...]

>     Server {
>         Listen 443 ssl;
>         Server_name localhost;
> 
>         Ssl_certificate cert.pem;
>         Ssl_certificate_key cert.key;
> 
>         Ssl_session_cache shared: SSL: 1m;
>         Ssl_session_timeout 5m;
> Ssl_protocols TLSv1.3;

So only TLSv1.3 is enabled on the 443 port.

[...]

> 	location / {
> 		 proxy_pass  https://127.0.0.1/;
> 		 proxy_ssl_session_reuse off;	
> 		}

And no proxy_ssl_protocols set for proxying, so it only has TLSv1, 
TLSv1.1, and TLSv1.2 enabled by default.

[...]

> But when I visit https://127.0.0.1:444
> Return to 502 Bad Gateway
> Among them, nginx serving port 444 has error.log:
> SSL_do_handshake() failed (SSL: error:1409442E:SSL
> routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70)
> while SSL handshaking to upstream, client: 127.0.0.1, server: localhost,
> request: "GET / HTTP/1.1 ", upstream: "https://127.0.0.1:443/", host:
> "127.0.0.1:444"
> 
> 
> Dear friends, What is the reason for this?
> My first service ssl protocol version of nginxA must be tslv1.3 only. There
> is no other lower version. Can I successfully access https://127.0.0.1:444
> by modifying the nginxA or nginxB configuration file?

The problem is that you are trying to connect to a TLSv1.3-only 
port by using the proxy not configured to use TLSv1.3.  You have 
to enable TLSv1.3 in your proxy configuration, something like:

    proxy_ssl_protocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

should work.  See http://nginx.org/r/proxy_ssl_protocols for 
additional details.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list