Opened 4 years ago
Closed 4 years ago
#2097 closed defect (worksforme)
Unable to enable TLSv1.3
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.19.x |
| Keywords: | Cc: | ||
| uname -a: | [windows version] | ||
| nginx -V: |
nginx version: nginx/1.19.4
built by cl 16.00.40219.01 for 80x86 built with OpenSSL 1.1.1h 22 Sep 2020 TLS SNI support enabled configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=lo gs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-s cgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv c8/lib/pcre-8.44 --with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module --with-http_realip_module --with-http_addi tion_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-h ttp_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_rand om_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.ms vc8/lib/openssl-1.1.1h --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl _module --with-stream_ssl_module |
||
Description
Nginx for Windows.
Enabled TLS v1.3 however it's not getting active.
Nginx config:
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name xxx.xxxx.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /nginx/certs/chain.pem;
ssl_certificate_key /nginx/certs/key.pem;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
Just tested, works fine here. Please make sure that you are configuring
ssl_protocolsin the defaultserver{}block for the listening socket, as it won't take effect in virtual servers selected by SNI.Note well that there are no ciphers
TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256. OpenSSL does not allow to configure TLSv1.3 ciphers using the ciphers string, see #1529 for details. If you want to cofigure TLSv1.3 ciphers with OpenSSL, the ssl_conf_command directive should be used.If you have further questions on how to configure nginx, consider using support options available.