Changes between Initial Version and Version 1 of Ticket #1529, comment 19


Ignore:
Timestamp:
04/13/20 00:11:46 (8 months ago)
Author:
bilditup1@…

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1529, comment 19

    initial v1  
    33> Configuring OpenSSL is maybe not Nginx’ reliability, but some hint in the official documentation would be great.
    44
    5 OPENSSL_CONF, in fact, set, neither by OpenSSL nor by nginx. It's easy enough to set it using your distro's service manager of choice or otherwise by some script. In systemd on Ubuntu, for example, one would want to add this to the Service section of /lib/systemd/system/nginx.service:
     5OPENSSL_CONF is not, in fact, set, neither by OpenSSL nor by nginx. It's easy enough to set it using your distro's service manager of choice or otherwise by some script. In systemd on Ubuntu, for example, one would want to add this to the Service section of /lib/systemd/system/nginx.service:
    66  {{{#!bash
    77Environment=OPENSSL_CONF=/etc/ssl/openssl.cnf
    88  }}}
    9 substituting the above path for whichever one openssl.cnf file you'd like to use (it doesn't *need* to be the one in the 'official' openssl directory). After that, it looks like nginx does in fact respect the values in whatever configuration file you specified above.
     9substituting the above path for that of whichever openssl.cnf file you'd like to use (it doesn't *need* to be the one in the 'official' openssl directory). After that, it looks like nginx does in fact respect the values in whatever configuration file you specified above.
    1010
    1111And yeah, it would be nice if this information, along with Maxim's and Laurence's example configs above, were made available in some official document, instead of just this old ticket, particularly if an insistence on the jankiness of the current API means that specifying TLS 1.3 ciphersuite order directly in nginx's own configuration files is not in the cards in the foreseeable future. Not trying to be a jerk about it, I understand this is a free product, you are under no obligation, and this configuration information would be for an entirely different package which you don't produce or control, etc. But I bet it would be enormously helpful to many people who, like me, discovered this bug report ages ago, but couldn't figure out how to get these settings to take until very recently.