Opened 2 years ago

Closed 2 years ago

#2538 closed defect (duplicate)

Site has TLS 1.2 connection despite being configured with TLS 1.3 only

Reported by: vp1981@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.25.x
Keywords: Cc:
uname -a: Linux smoon.bkoty.ru 6.5.0-rc7-next-20230825-1-next-git-12910-g626932085009 #1 SMP PREEMPT_DYNAMIC Fri, 25 Aug 2023 22:20:42 +0000 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.2
built with OpenSSL 3.1.2 1 Aug 2023
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/nginx-mainline/src=/usr/src/debug/nginx-mainline -flto=auto' --with-ld-opt='-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto' --with-compat --with-debug --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads

Description

Hello,
I'm running nginx on Archlinux.

Change History (3)

comment:1 by vp1981@…, 2 years ago

(Continue)

I configured nginx to establish only TLS 1.3 connections and all was fine until version 1.25.2, but with 1.25.2 both curl and ssllabs show me that site also available with TLS 1.2.

To make nginx to force only TLS 1.3 I used OPENSSL_CONF variable pointing to file with content

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Options = ServerPreference,PrioritizeChaCha

with the following configuration for the site

  listen            443 ssl;
  listen       [::]:443 ssl;
  http2        on;
  server_name  notes.bkoty.ru blog.bkoty.ru;

  ssl_session_cache    shared:SSL:10m;
  ssl_session_timeout  10m;
  ssl_password_file    /etc/cert/hosts/notes.ppp;
  ssl_certificate      /etc/cert/hosts/notes.crt;
  ssl_certificate_key  /etc/cert/hosts/notes.key;
  ssl_prefer_server_ciphers  on;
  ssl_protocols        TLSv1.3;
  ssl_ecdh_curve       secp384r1;

comment:2 by vp1981@…, 2 years ago

(Continue 3)

This is how I tested with curl:

(see attachment).

comment:3 by Maxim Dounin, 2 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #2541.

Note: See TracTickets for help on using tickets.