#1878 closed defect (duplicate)
Set ciphersuite list order for TLS 1.3
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | nginx-1.17 |
| Component: | nginx-core | Version: | 1.17.x |
| Keywords: | tls1.3 cipher chipersuite | Cc: | ilya@… |
| uname -a: | Linux ilya.pp.ua 5.3.5-1-default #1 SMP Tue Oct 8 06:39:44 UTC 2019 (1838763) x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.17.3
built by gcc 9.2.1 20190903 [gcc-9-branch revision 275330] (SUSE Linux) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --prefix=/usr/ --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/ --http-proxy-temp-path=/var/lib/nginx/proxy/ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi/ --http-uwsgi-temp-path=/var/lib/nginx/uwsgi/ --http-scgi-temp-path=/var/lib/nginx/scgi/ --user=nginx --group=nginx --without-select_module --without-poll_module --with-threads --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl=/usr/bin/perl --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --with-libatomic --with-compat --add-module=nginx_upstream_check_module-0.3.0 --add-dynamic-module=ngx-fancyindex-0.4.2 --add-dynamic-module=headers-more-nginx-module-0.33 --add-dynamic-module=nginx-rtmp-module-1.2.1 --with-cc-opt='-O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=8 -g -fPIC -D_GNU_SOURCE -std=gnu99 -fstack-protector' --with-ld-opt='-Wl,-z,relro,-z,now -pie' |
||
Description
In nginx there is no way to reorder ciphers for TLS 1.3.
The option to change the openssl.cnf settings, https://trac.nginx.org/nginx/ticket/1529#comment:12 which is proposed for this, makes at least one server application dovecot inoperative.
https://bugzilla.opensuse.org/show_bug.cgi?id=1154551
So this is not an option and nginx itself must be able to reorder the ciphers for TLS 1.3.
Change History (4)
comment:1 by , 5 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
An obvious solution here is to fix errors in the openssl.cnf file.
Could you please see where the error is in my openssl.cnf file?
I haven’t found utilities for checking this file, and when I use the openssl commands I also don’t get errors.
https://bugzilla.opensuse.org/attachment.cgi?id=822578
comment:3 by , 5 years ago
You've put additional sections (currently commented) before your original contents of the default section, and it breaks things, because the default section is special and lasts from the start of the file till first named section. Consider reading config(5) manual page to find out how OpenSSL configuration files are structured and how to combine your existing configuration file contents with things you are trying to add without breaking things.
comment:4 by , 5 years ago
https://www.openssl.org/docs/man1.1.1/man5/config.html#EXAMPLES
Thank you, it works if you insert before the [ new_oids ] (first in current config) section.
The error message
... section=system_default, cmd=HOME, arg=. ...suggests there is incorrect commandHOME = .in the system default section of youropenssl.cnf.This doesn't results in a failure during normal operation, but leaves an error in the error queue. It looks like Dovecot's certificate loading assumes there should be no stale errors in the error queue, and fails due to the one left in the queue (see
ssl_ctx_use_certificate_chain()insrc/lib-ssl-iostream/iostream-openssl-context.c). It might be a good idea for Dovecot to change this assumption, as OpenSSL tends to leak stale errors from time to time, but this clearly out of the scope of this bug tracker.An obvious solution here is to fix errors in the
openssl.cnffile.Also, as a workaround you can provide different openssl configs for different programs, using the
OPENSSL_CONFenvironment variable. This probably doesn't make sense though, as fixing errors in the existingopenssl.cnffile should be easy enough.Either way, closing this as a duplicate of #1529.