CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Vincent Blondel vbl5968 at gmail.com
Mon May 4 05:49:26 UTC 2020


thanks for the update Maxim but unfortunately still nok ...

my openssl.conf

[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = ServerPreference,PrioritizeChaCha
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = www.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com

my nginx.conf

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.3;
    ssl_ciphers
ECDHE+CHACHA20:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305;

nginx is no longe crying on ssl_ciphers syntax but CHACHA20 is still NOT
the Cipher challenged :-(

-V.

On Sun, May 3, 2020 at 11:21 PM Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Sun, May 03, 2020 at 07:04:49PM +0200, Vincent Blondel wrote:
>
> > Hello,
> >
> > Trying to get CHACHA20-POLY1305 Server Preference ... Working with
> tlsv1.2
> > but NOK with tlsv1.3
> >
> > ** Tried with a Custom OpenSSL.conf ServerPreference,PrioritizeChaCha
> >
> > OPENSSL_CONF=$HOME/conf/openssl.conf $HOME/bin/nginx.exe
> >
> > [default_conf]
> > ssl_conf = ssl_sect
> > [ssl_sect]
> > system_default = system_default_sect
> > [system_default_sect]
> > Ciphersuites =
> >
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
> > Options = ServerPreference,PrioritizeChaCha
> >
> > ** Tried by patching src/event/ngx_event_openssl.c
> >
> > -        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> > +        SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
> > SSL_OP_PRIORITIZE_CHACHA);
> >
> > ** Tried by patching src/event/ngx_event_openssl.c
>
> There is no need to patch anything as long as you have Options set
> in openssl.conf.
>
> > nginx -s reload
> > nginx: [emerg]
> >
> SSL_CTX_set_cipher_list("TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256")
> > failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher
> > match)
> >
> > ssl_prefer_server_ciphers on;
> > ssl_protocols TLSv1.3;
> > ssl_ciphers
> >
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256;
> >
> > my config is working like a charm with tlsv1.2 but i cannot get CHACHA20
> > prioritized with tlsv1.3 ... hence my question ...how to do with nginx
> > version: nginx/1.18.0 ?
>
> The problem is that OpenSSL's SSL_CTX_set_cipher_list() does not
> recognize any ciphers in the cipher list you've provided in the
> ssl_ciphers directive, hence the error.  You have to provide at
> least one valid cipher.
>
> Note that OpenSSL's SSL_CTX_set_cipher_list() does not recognize
> any TLSv1.3 ciphers (and instead enables them by default), hence
> you have to use at least one TLSv1.2 cipher listed.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200504/212e9182/attachment.htm>


More information about the nginx mailing list