Why does the nginx.org main site not supporting TLS v1.3?

David Hu D4v1d_4n0 at protonmail.ch
Fri Jan 22 10:19:55 UTC 2021


OK. Thank you. But what about the HTTP/1.1 and HTTP/2 problem? As I mentioned before, I neogotiated with the server for H2 in the early ALPN. However the server only accepts HTTP/1.1 and why is that? My cURL has explicitly specified --http2-prior-knowledge but it still does not work. It still connects via HTTP/1.1.

Thank you for all your answers!Regards,
David Hu

[PGP Public Key attached, key ID: 0x340A848D ; fingerprint: 340a 848d 4333 6873 d48f 5dad 8847 c44d 75c3 da38]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, January 21st, 2021 at 10:08 PM, Thomas Ward <teward at thomas-ward.net> wrote:

> To clarify, I meant I don't run nginx.org's nginx server that they have.  ;)
> 

> The remaining IP tests by SSLLabs shows the same behavior - https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&latest - so it's just a case of these servers being configured to only use TLS 1.2.  POSSIBLY they're using an older set of OpenSSL or similar libraries that don't have TLS 1.3 yet, but it's also just possible it's disabled - TLS 1.3 isn't exactly the most 'accepted' protocol yet by certain policies and standards, so that's a consideration too.
> 

> Thomas
> 

> On 1/22/21 1:04 AM, Thomas Ward wrote:
> 

> > So, I don't run the NGINX webserver, but I am pretty sure this is on the remote server to serve the protocol right.  SSLLabs test shows that TLS 1.3 is just not offered.
> > 

> > https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest
> > 

> > There's three other IPs (one IPv4 and two IPv6) that will very likely reflect the same tests as well.
> > 

> > So to answer your original question:
> > 

> >  > What have I done wrong or if it is your problem?
> > 

> > You didn't do anything wrong.  TLS 1.2 is the only protocol that's offered for SSL/TLS connections to the nginx.org site.
> > 

> > Thomas
> > 

> > On 1/21/21 11:50 PM, David Hu wrote:
> > 

> > > So I have to downgrade to TLS v1.2. The full command input and the connection process can be shown as follows:
> > > ./curl -vvvvv --http2-prior-knowledge --tlsv1.2 https://nginx.org
> > > *   Trying 52.58.199.22:443...
> > > * Connected to nginx.org (52.58.199.22) port 443 (#0)
> > > * ALPN, offering h2
> > > * ALPN, offering http/1.1
> > > * successfully set certificate verify locations:
> > > *  CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt
> > > *  CApath: none
> > > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > > * ALPN, server accepted to use http/1.1
> > > * Server certificate:
> > > *  subject: CN=nginx.org
> > > *  start date: Oct 29 16:45:05 2020 GMT
> > > *  expire date: Jan 27 16:45:05 2021 GMT
> > > *  subjectAltName: host "nginx.org" matched cert's "nginx.org"
> > > *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
> > > *  SSL certificate verify ok.
> > > 

> > > > GET / HTTP/1.1
> > > > Host: nginx.org
> > > > User-Agent: curl/7.74.0
> > > > Accept: */*
> > > 

> > > * Mark bundle as not supporting multiuse
> > > < HTTP/1.1 200 OK
> > > < Server: nginx/1.19.0
> > > < Date: Fri, 22 Jan 2021 04:43:32 GMT
> > > < Content-Type: text/html; charset=utf-8
> > > < Content-Length: 12676
> > > < Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT
> > > < Connection: keep-alive
> > > < Keep-Alive: timeout=15
> > > < ETag: "5fd8cf2c-3184"
> > > < Accept-Ranges: bytes
> > > <
> > > 

> > > 

> > > 

> > > So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN is offering H2 and HTTP/1.1 but at the finally I only get the HTTP version HTTP/1.1 not H2. The same cURL specs and versions and specs as the above message. What have I done wrong or if it is your problem?
> > > 

> > > Thanks again.
> > > Regards,
> > > 

> > > _______________________________________________
> > > nginx mailing list
> > > nginx at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> > 

> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210122/e9be0b4c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210122/e9be0b4c/attachment.bin>


More information about the nginx mailing list