Opened 2 years ago

Closed 2 years ago

#1625 closed defect (invalid)

TLS1.3 not available with nginx 1.15.3 and openssl 1.1.1-pre9

Reported by: Dryusdan@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: Cc:
uname -a: Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.3
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.1-pre9 (beta) 20 Jun 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/local/sbin/nginx --http-log-path=/var/log/nginx/logs/nginx_access.log --error-log-path=/var/log/nginx/logs/nginx_error.log --pid-path=/run/ --lock-path=/run/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-pcre-jit --with-mail_ssl_module --with-http_v2_module --with-file-aio --with-ipv6 --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/nginx-ct --add-module=/tmp/ngx_brotli --with-cc-opt='-O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -Wno-deprecated-declarations' --with-openssl-opt='no-async enable-ec_nistp_64_gcc_128 no-shared no-ssl2 no-ssl3 no-comp no-idea no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -O3 -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-openssl=/tmp/openssl-1.1.1-pre9


I compile everytime the last nginx version and the last openssl version. On the last compilation with OpenSSl 1.1.1-pre9, I found a problem : TLS1.3 is not active, but with OpenSSL 1.1.1-pre8 it's okay.
I see in your changelog you encounter some problem like this with ssl lib version, so, I think is a good idea to tell this problem with you :)

Thank you Nginx :D


Attachments (1) (3.8 KB ) - added by Dryusdan@… 2 years ago.
My script to compile nginx :)

Download all attachments as: .zip

Change History (2)

by Dryusdan@…, 2 years ago

Attachment: added

My script to compile nginx :)

comment:1 by Maxim Dounin, 2 years ago

Resolution: invalid
Status: newclosed

Works fine here. Note that TLS 1.3 in OpenSSL 1.1.1-pre9 switched to use on-wire version of TLS 1.3 as defined by RFC 8446, and this may not be compatible with other clients implementing earlier TLS 1.3 drafts. For tests, use the openssl binary as available with the library you've compiled nginx with.

Note: See TracTickets for help on using tickets.