CHACHA20-POLY1305 Server Preference NOK with tlsv1.3

Maxim Dounin mdounin at
Mon May 4 23:42:20 UTC 2020


On Mon, May 04, 2020 at 08:10:38PM +0200, Vincent Blondel wrote:

> I just copy/pasted/replaced the content of my openssl.conf with the
> proposal in this mail ... still OK with tslv1.2 and NOK with tlsv1.3 ...
> openssl is up to date and seems working fine ...

Some things to consider:

- Make sure the openssl.conf you are editing is the one which is 
  actually used.  No errors are produced if loading openssl conf 
  fails, and this somewhat complicates things.

  Given that your first message in this thread suggests you are 
  trying to do this on Windows, trying to use variables when 
  starting nginx might complicate things.

  Also it might not be trivial to trace if the file is actually 
  used (on unix you can use things like ktrace / strace / truss).

- Make sure there are no non-text things in the openssl.conf such 
  as byte order marks.  Some editors tend to add them, and this 
  often breaks things.

- Make sure you are testing things correctly.  Testing cipher 
  preference, especially for TLSv1.3 ciphers, might be 

  Simplier test might be to disable some Ciphersuites in the 
  openssl.conf, and make sure these are actually disabled.  And 
  once you see them disabled, start playing with PrioritizeChaCha.

Maxim Dounin

More information about the nginx mailing list