#1670 closed defect (duplicate)
Chipers list order not respected for TLS 1.3
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | nginx-1.15 |
| Component: | nginx-core | Version: | 1.15.x |
| Keywords: | tls 1.3, Chipers list, order | Cc: | |
| uname -a: | Linux iz8mbw 4.14.73-v7+ #1148 SMP Mon Oct 1 16:57:50 BST 2018 armv7l GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.15.6
built by gcc 4.8.2 (Raspbian 4.8.2-21~rpi3rpi1) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt=-I/opt/ssl/include --with-ld-opt='-L/opt/ssl/lib -ldl -Wl,-rpath,/opt/ssl/lib' --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log -path=/var/log/nginx/access.log --user=www-data --group=www-data --with-debug --with-stream --with-http_ssl_module --with-openssl-opt=enable-tls1_3 --with-http_v2_module --with-pcre=/opt/pcre --with-http_perl_module --with-http_re alip_module --with-http_gunzip_module --with-http_gzip_static_module --add-module=/root/autobuild/ngx_http_substitutions_filter_module-master |
||
Description
Hi.
I'm running nginx 1.15.6, it was built on Linux from source code and "linked" to OpenSSL 1.1.1 that was built in /opt/ssl.
nginx version: nginx/1.15.6 built by gcc 4.8.2 (Raspbian 4.8.2-21~rpi3rpi1) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt=-I/opt/ssl/include --with-ld-opt='-L/opt/ssl/lib -ldl -Wl,-rpath,/opt/ssl/lib' --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log -path=/var/log/nginx/access.log --user=www-data --group=www-data --with-debug --with-stream --with-http_ssl_module --with-openssl-opt=enable-tls1_3 --with-http_v2_module --with-pcre=/opt/pcre --with-http_perl_module --with-http_re alip_module --with-http_gunzip_module --with-http_gzip_static_module --add-module=/root/autobuild/ngx_http_substitutions_filter_module-master
This is my nginx.conf file about the Chipers list and TLS 1.3 part:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1 305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:EC DHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!DSS';
As you can see I have enabled three Chipers for TLS 1.3 in this order:
TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
BUT if I try to check with "Qualys SSL Labs" webite (www.ssllabs.com), it shows me this Chipers list order for TLS 1.3:
# TLS 1.3 (suites in server-preferred order) TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256 TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256 TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
Why nginx gives, for TLS 1.3, a Chipers list order different from my setting on the file nginx.conf?
Note:
See TracTickets
for help on using tickets.
This is because ciphers for TLSv1.3 can be only configured using separate interface in OpenSSL 1.1.1 (and cannot be configured in BoringSSL), see ticket #1529.