Opened 5 years ago

Closed 5 years ago

#1770 closed defect (invalid)

How to enable tls1.3 in nginx?

Reported by: rakeshgowdah92@… Owned by:
Priority: critical Milestone: nginx-1.15
Component: nginx-package Version: 1.15.x
Keywords: Cc:
uname -a: Linux ip-172-0-2-109.eu-central-1.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

I am setting up nginx in the below-configured server

NAME="Red Hat Enterprise Linux Server"
VERSION="7.6 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.6"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.6 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.6:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.6"
I have installed nginx version: nginx/1.15.11 in server. And config file looks as below

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name hub.sigmabh.io;
return 301 https://***.***.io$request_uri;

}

server {

listen 443 ssl;
ssl_certificate /etc/ssl/*.pem;
ssl_certificate_key /etc/ssl/
*.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
server_name *.*.io;
server_tokens off;
client_max_body_size 3M;

location /static/ {

alias /home/*/static/;

}
location /static/admin {

alias /home/*/admin/;

}

location / {

proxy_pass https://*.*.*.*:4000/;
proxy_set_header Host $host;
proxy_ssl_server_name on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

}
}

I have enabled tls1.3 in google chrome and if I make a request from the browser, the application is not loading. I am getting "There was a problem with the handshake. The site may not support a protocol or cipher we can use.", if I scan the URL.

TLS1.2 is working fine. Openssl version is OpenSSL 1.0.2o 27 Mar 2018.

How to enable the tls1.3 in nginx to the application?

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

For questions on how to configure nginx please use mailing lists instead. Note well that there is no TLSv1.3 support in OpenSSL 1.0.2 you are using.

Note: See TracTickets for help on using tickets.