Opened 4 weeks ago

Closed 4 weeks ago

#2250 closed defect (invalid)

nginx does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0

Reported by: soukichi@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version:
Keywords: Cc:
uname -a: Linux origin000 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: # /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.21.3
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2)
built with OpenSSL 3.0.0 7 sep 2021
TLS SNI support enabled
configure arguments: --with-openssl=../openssl-3.0.0 --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module

Description

nginx v1.21.3 does not response via TLSv1 and TLSv1.1 when built with OpenSSL 3.0.0 even it compiled with "--with-openssl-opt=enable-weak-ssl-ciphers".

using testssl.sh.

$ ./testssl.sh tls.example.net | grep TLS
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

e.g. nginx.conf

# cat /usr/local/nginx/conf/nginx.conf
worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  tls.example.net;

        ssl_certificate      tls.crt;
        ssl_certificate_key  tls.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_session_timeout  5m;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

When I compile it with OpenSSL 1.1.1l, nginx will response over TLSv1 and TLSv1.1.

compile with openssl 1.1.1l.

# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.21.3
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) 
built with OpenSSL 1.1.1l  24 Aug 2021
TLS SNI support enabled
configure arguments: --with-openssl=../openssl-1.1.1l --with-openssl-opt=enable-weak-ssl-ciphers --with-http_ssl_module

use same nginx.conf

$ ./testssl.sh tls.example.net | grep TLS
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

Change History (1)

comment:1 by Sergey Kandaurov, 4 weeks ago

Resolution: invalid
Status: newclosed

They are no longer enabled by default, see OpenSSL 3.0 CHANGES.md:
The security strength of SHA1 and MD5 based signatures in TLS has been reduced.

This means older protocols versions such as TLS 1.1 no longer work.
It may still be re-enabled by lowering the security level, e.g.:
ssl_ciphers DEFAULT:@SECLEVEL=0;

Note: See TracTickets for help on using tickets.