id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2541 TLS 1.2 connection on TLS 1.3 only site vp1981@… "I configured nginx to accept only TLS 1.3 connections and up to version 1.25.2 everything was fine. But since version 1.25.2, both `curl` and ssllabs show me that a site is accessible with TLS 1.2 as well. To force the use of TLS 1.3, I used a trick with the `OPENSSL_CONF` environment variable pointing to a file with the content {{{ openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 Options = ServerPreference,PrioritizeChaCha }}} and the following configuration for the site {{{ listen 443 ssl; listen [::]:443 ssl; http2 on; server_name isu.bkoty.ru; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_password_file /etc/cert/hosts/isu.ppp; ssl_certificate /etc/cert/hosts/isu.crt; ssl_certificate_key /etc/cert/hosts/isu.key; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; }}} To use the `OPENSSL_CONF` variable I added a line {{{ Environment=OPENSSL_CONF=/etc/nginx/openssl.conf }}} to the `nginx.service` file. Now, to test the connection to the site I ran the command {{{ $ curl -I -v --tlsv1.2 --tls-max 1.2 https://isu.bkoty.ru }}} and the site responded using the TLS 1.2 protocol. I don't understand why TLS 1.2 is being used (I didn't configure it, right?). Has something changed in `nginx` regarding how openssl configuration is used? P.S. Sorry, this might be my second ticket, I didn't manage to write the first one correctly. " defect closed major nginx-core 1.25.x invalid tls1.2, tls1.3 vp1981@… Linux node1.bkoty.ru 6.5.0-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Tue, 29 Aug 2023 18:39:35 +0000 x86_64 GNU/Linux "nginx version: nginx/1.25.2 built with OpenSSL 3.1.2 1 Aug 2023 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/nginx-mainline/src=/usr/src/debug/nginx-mainline -flto=auto' --with-ld-opt='-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto' --with-compat --with-debug --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads"