nginx 1.17.1 configcheck fails if config'd for TLSv1.3-only ?

Maxim Dounin mdounin at mdounin.ru
Fri Jul 19 18:41:25 UTC 2019


Hello!

On Fri, Jul 19, 2019 at 11:24:36AM -0700, PGNet Dev wrote:

> On 7/19/19 11:02 AM, Maxim Dounin wrote:
> > Hello!
> > 
> > On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
> > 
> >>>> And, if I change nginx to be 'TLSv1.3-only',
> >>>>
> >>>> -	ssl_protocols TLSv1.3 TLSv1.2;
> >>>> -	ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
> >>>> +	ssl_protocols TLSv1.3;
> >>>> +	ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";
> >>>>
> >>>> even the webserver config check FAILs,
> >>>>
> >>>> 	nginxconfcheck
> >>>> 		TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
> >>>> 		nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
> >>>>
> >>>> and the server fails to start.
> >>>
> >>> That's because the cipher string listed contains no valid ciphers.
> >>
> >>
> >> Sorry, I'm missing something :-/
> >>
> >> What's specifically "invalid" about the 3, listed ciphers?
> >>
> >> 	TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256
> > 
> > There are no such ciphers in the OpenSSL.
> > Try it yourself:
> > 
> > $ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256
> > Error in cipher list
> > 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:
> > 
> > [...]
> > 
> 
> Then what are these lists?

You may want to re-read my initial answer and the ticket it 
links to.

[...]

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list