nginx 1.17.3 and TLSv1.3
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 16 18:32:40 UTC 2019
Hello!
On Fri, Aug 16, 2019 at 02:15:22PM -0400, benztoy wrote:
> I want to run two nginx services on one host. They are nginxA and nginxB
> nginxA listening on https443 port. Only the tslv1.3 protocol is available.
> The configuration file is as follows:
[...]
> Server {
> Listen 443 ssl;
> Server_name localhost;
>
> Ssl_certificate cert.pem;
> Ssl_certificate_key cert.key;
>
> Ssl_session_cache shared: SSL: 1m;
> Ssl_session_timeout 5m;
> Ssl_protocols TLSv1.3;
So only TLSv1.3 is enabled on the 443 port.
[...]
> location / {
> proxy_pass https://127.0.0.1/;
> proxy_ssl_session_reuse off;
> }
And no proxy_ssl_protocols set for proxying, so it only has TLSv1,
TLSv1.1, and TLSv1.2 enabled by default.
[...]
> But when I visit https://127.0.0.1:444
> Return to 502 Bad Gateway
> Among them, nginx serving port 444 has error.log:
> SSL_do_handshake() failed (SSL: error:1409442E:SSL
> routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70)
> while SSL handshaking to upstream, client: 127.0.0.1, server: localhost,
> request: "GET / HTTP/1.1 ", upstream: "https://127.0.0.1:443/", host:
> "127.0.0.1:444"
>
>
> Dear friends, What is the reason for this?
> My first service ssl protocol version of nginxA must be tslv1.3 only. There
> is no other lower version. Can I successfully access https://127.0.0.1:444
> by modifying the nginxA or nginxB configuration file?
The problem is that you are trying to connect to a TLSv1.3-only
port by using the proxy not configured to use TLSv1.3. You have
to enable TLSv1.3 in your proxy configuration, something like:
proxy_ssl_protocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
should work. See http://nginx.org/r/proxy_ssl_protocols for
additional details.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list