Why does the nginx.org main site not supporting TLS v1.3?

Thomas Ward teward at thomas-ward.net
Fri Jan 22 06:04:29 UTC 2021


So, I don't run the NGINX webserver, but I am pretty sure this is on the 
remote server to serve the protocol right.  SSLLabs test shows that TLS 
1.3 is just not offered.

https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest

There's three other IPs (one IPv4 and two IPv6) that will very likely 
reflect the same tests as well.

So to answer your original question:

  > What have I done wrong or if it is your problem?

You didn't do anything wrong.  TLS 1.2 is the only protocol that's 
offered for SSL/TLS connections to the nginx.org site.


Thomas


On 1/21/21 11:50 PM, David Hu wrote:
> So I have to downgrade to TLS v1.2. The full command input and the connection process can be shown as follows:
> ./curl -vvvvv --http2-prior-knowledge --tlsv1.2 https://nginx.org
> *   Trying 52.58.199.22:443...
> * Connected to nginx.org (52.58.199.22) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> *  CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt
> *  CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server accepted to use http/1.1
> * Server certificate:
> *  subject: CN=nginx.org
> *  start date: Oct 29 16:45:05 2020 GMT
> *  expire date: Jan 27 16:45:05 2021 GMT
> *  subjectAltName: host "nginx.org" matched cert's "nginx.org"
> *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
> *  SSL certificate verify ok.
>> GET / HTTP/1.1
>> Host: nginx.org
>> User-Agent: curl/7.74.0
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Server: nginx/1.19.0
> < Date: Fri, 22 Jan 2021 04:43:32 GMT
> < Content-Type: text/html; charset=utf-8
> < Content-Length: 12676
> < Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT
> < Connection: keep-alive
> < Keep-Alive: timeout=15
> < ETag: "5fd8cf2c-3184"
> < Accept-Ranges: bytes
> <
>
>
>
> So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN is offering H2 and HTTP/1.1 but at the finally I only get the HTTP version HTTP/1.1 not H2. The same cURL specs and versions and specs as the above message. What have I done wrong or if it is your problem?
>
> Thanks again.
> Regards,
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210122/54597a18/attachment.htm>


More information about the nginx mailing list