Opened 3 years ago

Closed 3 years ago

#2097 closed defect (worksforme)

Unable to enable TLSv1.3

Reported by: sdranju@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc:
uname -a: [windows version]
nginx -V: nginx version: nginx/1.19.4
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.1.1h 22 Sep 2020
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=lo
gs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-s
cgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.44 --with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module --with-http_realip_module --with-http_addi
tion_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-h
ttp_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_rand
om_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.ms
vc8/lib/openssl-1.1.1h --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl
_module --with-stream_ssl_module

Description

Nginx for Windows.
Enabled TLS v1.3 however it's not getting active.

Nginx config:

listen *:443 ssl http2;
listen [::]:443 ssl http2;

server_name xxx.xxxx.com;


ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /nginx/certs/chain.pem;
ssl_certificate_key /nginx/certs/key.pem;

ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';


# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: worksforme
Status: newclosed

Just tested, works fine here. Please make sure that you are configuring ssl_protocols in the default server{} block for the listening socket, as it won't take effect in virtual servers selected by SNI.

Note well that there are no ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256. OpenSSL does not allow to configure TLSv1.3 ciphers using the ciphers string, see #1529 for details. If you want to cofigure TLSv1.3 ciphers with OpenSSL, the ssl_conf_command directive should be used.

If you have further questions on how to configure nginx, consider using support options available.

Note: See TracTickets for help on using tickets.