Opened 8 weeks ago

Last modified 8 weeks ago

#2627 new defect

different nginx behavior as v4 and v6

Reported by: HQuest@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.25.x
Keywords: Cc:
uname -a: Linux lab109.machine 6.6.23 #1 SMP PREEMPT_DYNAMIC Wed Mar 27 13:33:29 CDT 2024 x86_64 13th Gen Intel(R) Core(TM) i7-1360P GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.25.4
built with OpenSSL 3.2.1 30 Jan 2024
TLS SNI support enabled
configure arguments: --prefix=/var/www --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys --user=nginx --group=nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/client_body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --http-scgi-temp-path=/var/lib/nginx/scgi --with-file-aio --with-select_module --with-poll_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-cpp_test_module --with-compat --with-pcre --with-pcre-jit --without-pcre2 --with-libatomic --add-module=custom/ModSecurity-nginx --with-ld-opt='-lcurl -llua -lxml2 -lmaxminddb' --add-module=custom/ngx_http_geoip2_module --add-module=custom/njs/nginx

Description (last modified by HQuest@…)

While a client is connected via IPv4, nginx will offer "OCSP stapling" and a set of cipher suites in the order defined in the configuration.
While a client is connected via IPv6, nginx will not offer "OCSP stapling" and will change the cipher suites order defined in the configuration.
Behavior first noted on nginx/1.25.3 and present on nginx/1.25.4.

Cipher configuration:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA2
56:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256;

Change History (2)

comment:1 by HQuest@…, 8 weeks ago

Description: modified (diff)

comment:2 by HQuest@…, 8 weeks ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.