Opened 8 months ago

Closed 8 months ago

#1770 closed defect (invalid)

How to enable tls1.3 in nginx?

Reported by: rakeshgowdah92@… Owned by:
Priority: critical Milestone: nginx-1.15
Component: nginx-package Version: 1.15.x
Keywords: Cc:
uname -a: Linux ip-172-0-2-109.eu-central-1.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.12 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

I am setting up nginx in the below-configured server

NAME="Red Hat Enterprise Linux Server"
VERSION="7.6 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.6"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.6 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.6:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.6"
I have installed nginx version: nginx/1.15.11 in server. And config file looks as below

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name hub.sigmabh.io;
return 301 https://***.***.io$request_uri;

}

server {

listen 443 ssl;
ssl_certificate /etc/ssl/*.pem;
ssl_certificate_key /etc/ssl/
*.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
server_name *.*.io;
server_tokens off;
client_max_body_size 3M;

location /static/ {

alias /home/*/static/;

}
location /static/admin {

alias /home/*/admin/;

}

location / {

proxy_pass https://*.*.*.*:4000/;
proxy_set_header Host $host;
proxy_ssl_server_name on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

}
}

I have enabled tls1.3 in google chrome and if I make a request from the browser, the application is not loading. I am getting "There was a problem with the handshake. The site may not support a protocol or cipher we can use.", if I scan the URL.

TLS1.2 is working fine. Openssl version is OpenSSL 1.0.2o 27 Mar 2018.

How to enable the tls1.3 in nginx to the application?

Change History (1)

comment:1 Changed 8 months ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

For questions on how to configure nginx please use mailing lists instead. Note well that there is no TLSv1.3 support in OpenSSL 1.0.2 you are using.

Note: See TracTickets for help on using tickets.