Changes between Initial Version and Version 1 of Ticket #1529, comment 19
- Timestamp:
- 04/13/20 00:11:46 (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #1529, comment 19
initial v1 3 3 > Configuring OpenSSL is maybe not Nginx’ reliability, but some hint in the official documentation would be great. 4 4 5 OPENSSL_CONF , in fact, set, neither by OpenSSL nor by nginx. It's easy enough to set it using your distro's service manager of choice or otherwise by some script. In systemd on Ubuntu, for example, one would want to add this to the Service section of /lib/systemd/system/nginx.service:5 OPENSSL_CONF is not, in fact, set, neither by OpenSSL nor by nginx. It's easy enough to set it using your distro's service manager of choice or otherwise by some script. In systemd on Ubuntu, for example, one would want to add this to the Service section of /lib/systemd/system/nginx.service: 6 6 {{{#!bash 7 7 Environment=OPENSSL_CONF=/etc/ssl/openssl.cnf 8 8 }}} 9 substituting the above path for whichever oneopenssl.cnf file you'd like to use (it doesn't *need* to be the one in the 'official' openssl directory). After that, it looks like nginx does in fact respect the values in whatever configuration file you specified above.9 substituting the above path for that of whichever openssl.cnf file you'd like to use (it doesn't *need* to be the one in the 'official' openssl directory). After that, it looks like nginx does in fact respect the values in whatever configuration file you specified above. 10 10 11 11 And yeah, it would be nice if this information, along with Maxim's and Laurence's example configs above, were made available in some official document, instead of just this old ticket, particularly if an insistence on the jankiness of the current API means that specifying TLS 1.3 ciphersuite order directly in nginx's own configuration files is not in the cards in the foreseeable future. Not trying to be a jerk about it, I understand this is a free product, you are under no obligation, and this configuration information would be for an entirely different package which you don't produce or control, etc. But I bet it would be enormously helpful to many people who, like me, discovered this bug report ages ago, but couldn't figure out how to get these settings to take until very recently.