Opened 3 years ago
Closed 3 years ago
#2250 closed defect (invalid)
nginx does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | Cc: | ||
| uname -a: | Linux origin000 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.21.3 built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) built with OpenSSL 3.0.0 7 sep 2021 TLS SNI support enabled configure arguments: --with-openssl=../openssl-3.0.0 --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module |
||
Description
nginx v1.21.3 does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0 even it compiled with "--with-openssl-opt=enable-weak-ssl-ciphers".
using testssl.sh.
$ ./testssl.sh tls.example.net | grep TLS TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final
e.g. nginx.conf
# cat /usr/local/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
#
server {
listen 443 ssl;
server_name tls.example.net;
ssl_certificate tls.crt;
ssl_certificate_key tls.key;
ssl_session_cache shared:SSL:1m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
When I compile it with OpenSSL 1.1.1l, nginx will response over TLSv1 and TLSv1.1.
compile with openssl 1.1.1l.
# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.21.3 built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) built with OpenSSL 1.1.1l 24 Aug 2021 TLS SNI support enabled configure arguments: --with-openssl=../openssl-1.1.1l --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module
use same nginx.conf
$ ./testssl.sh tls.example.net | grep TLS TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final
Note:
See TracTickets
for help on using tickets.
They are no longer enabled by default, see OpenSSL 3.0 CHANGES.md:
The security strength of SHA1 and MD5 based signatures in TLS has been reduced.This means older protocols versions such as TLS 1.1 no longer work.
It may still be re-enabled by lowering the security level, e.g.:
ssl_ciphers DEFAULT:@SECLEVEL=0;