Unable to activate TLS1.3

Taco de Wolff tacodewolff at gmail.com
Tue Mar 19 12:39:12 UTC 2024 

Hi,

I'm using Nginx 1.25.4 with the OpenSSL 1.1.1k FIPS build on CentOS Stream
8 (FIPS not enabled). I have checked that the OpenSSL library can connect
to other services using TLS1.3 and Postfix + Dovecot work fine on TLS1.3 as
well, but Nginx doesn't seem to enable TLS1.3 as reported by SSLLabs and by
checking manually using:

$ openssl s_client -connect domain.com:443 -tls1_3
CONNECTED(00000003)
4027EC8EC57D0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:865:SSL alert number 70

TLS1.2 works fine though, and I'm sure TLS1.3 used to work but I can't
figure out what has changed. The relevant configuration:


http {
    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:32m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/nginx/dhparam.pem;

    # SSL ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    #ssl_prefer_server_ciphers on;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    resolver 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;

    # HTTP3
    http3_hq on;
    quic_gso on;
    quic_retry on;
    #ssl_early_data on;

    # ...
}

server {
    listen 443 ssl;
    listen 443 quic;
    listen [::]:443 ssl;
    listen [::]:443 quic;

    http2 on;

    # SSL
    ssl_certificate         /etc/pki/lego/certificates/domain.com.crt;
    ssl_certificate_key     /etc/pki/lego/certificates/domain.com.key;
    ssl_trusted_certificate
/etc/pki/lego/certificates/domain.com.issuer.crt;

    # ...
}


I'm really at a loss and unsure how to proceed debugging this. What else
could be the problem? Thank you for your time.

Kind regards,
Taco de Wolff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240319/4e0544f1/attachment.htm>

More information about the nginx mailing list