Client can't negotiate with TLS 1.0 and 1.1

Fabiano Furtado Pessoa Coelho fusca14 at gmail.com
Thu Aug 25 16:59:39 UTC 2022


Hi...

On Thu, Aug 25, 2022 at 12:59 PM Sergey Kandaurov wrote:
>
>
> > On 25 Aug 2022, at 00:22, Fabiano Furtado Pessoa Coelho wrote:
> >
> > Hi...
> >
> > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server
> > with one NIC and 2 IPs, with the following config:
> >
> > [...]
> > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com?
> >
> > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1?
> >
>
> TLS 1.0 and 1.1 are de-facto disabled by default in OpenSSL 3.0+.
> See for more details: https://trac.nginx.org/nginx/ticket/2250

Hi Sergey...

Thanks for the help, but I have tried...

"ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0;"

and

"ssl_ciphers DEFAULT:@SECLEVEL=0;"

but, unfortunately, I still can't connect with TLS 1.0 and 1.1. :(

Is there another "ssl_ciphers" where I could try?

Thanks again.
Fabiano Furtado



More information about the nginx mailing list