nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?
Maxim Dounin
mdounin at mdounin.ru
Fri Jul 19 18:02:37 UTC 2019
Hello!
On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
> >> And, if I change nginx to be 'TLSv1.3-only',
> >>
> >> - ssl_protocols TLSv1.3 TLSv1.2;
> >> - ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
> >> + ssl_protocols TLSv1.3;
> >> + ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";
> >>
> >> even the webserver config check FAILs,
> >>
> >> nginxconfcheck
> >> TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
> >> nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
> >>
> >> and the server fails to start.
> >
> > That's because the cipher string listed contains no valid ciphers.
>
>
> Sorry, I'm missing something :-/
>
> What's specifically "invalid" about the 3, listed ciphers?
>
> TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256
There are no such ciphers in the OpenSSL.
Try it yourself:
$ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256
Error in cipher list
0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:
[...]
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list