CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Vincent Blondel vbl5968 at gmail.com
Sun May 3 17:04:49 UTC 2020


Hello,

Trying to get CHACHA20-POLY1305 Server Preference ... Working with tlsv1.2
but NOK with tlsv1.3

** Tried with a Custom OpenSSL.conf ServerPreference,PrioritizeChaCha

OPENSSL_CONF=$HOME/conf/openssl.conf $HOME/bin/nginx.exe

[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites =
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Options = ServerPreference,PrioritizeChaCha

** Tried by patching src/event/ngx_event_openssl.c

-        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
SSL_OP_PRIORITIZE_CHACHA);

** Tried by patching src/event/ngx_event_openssl.c

nginx -s reload
nginx: [emerg]
SSL_CTX_set_cipher_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256")
failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match)

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
ssl_ciphers
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256;

my config is working like a charm with tlsv1.2 but i cannot get CHACHA20
prioritized with tlsv1.3 ... hence my question ...how to do with nginx
version: nginx/1.18.0 ?

tx, V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200503/4d6137d6/attachment.htm>


More information about the nginx mailing list