Opened 2 weeks ago

Closed 6 days ago

#2138 closed defect (worksforme)

TLSv1.3 Problems

Reported by: tobias992@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.19.x
Keywords: TLSv1.3 Cc:
uname -a: Linux bnode01 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.7
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL 1.1.1i 8 Dec 2020)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.7/debian/debuild-base/nginx-1.19.7=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Hello,
i have problems to activate TLSv1.3. My Config seems correct - so maybe its an Bug.

nginx.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh-certs/dhparam4096.pem;
ssl_ecdh_curve secp384r1;

TLSv1.3 is not working.

I installed NGINX from official docs:
http://nginx.org/en/linux_packages.html#Debian

Change History (2)

comment:1 by Maxim Dounin, 2 weeks ago

Please define "TLSv1.3 is not working". How do you test it? Does TLSv1.2 work with the same configuration and in the same tests?

Please also provide full configuration as shown by nginx -T. Note that there is a bug in OpenSSL (see ticket #2071) which prevents TLSv1.3 from working when using ssl_reject_handshake without any certificates in the default server{} block.

comment:2 by Maxim Dounin, 6 days ago

Resolution: worksforme
Status: newclosed

Feedback timeout.

Note: See TracTickets for help on using tickets.