#1901 closed defect (invalid)
Can not specify cipher list of just 'TLSv1.3'
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.17.x |
Keywords: | Cc: | ||
uname -a: | Linux dev-01 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.17.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --with-openssl=/usr/local/src/nginx/openssl-1.1.1d --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_auth_basic_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre --with-http_ssl_module --with-stream --with-stream_ssl_module |
Description
I was testing different scenarios with using TLSv1.2 and TLSv1.3 and I can across a strange issue when specifying just TLSv1.3 for the cipher list.
For example, in my site if i set the following:
ssl_protocols TLSv1.3;
ssl_ciphers TLSv1.3;
The server fails to start with the error:
nginx: [emerg] SSL_CTX_set_cipher_list("TLSv1.3") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
However, I am able to specify the following:
ssl_protocols TLSv1.2;
ssl_ciphers TLSv1.2;
OR
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLSv1.2:TLSv1.3;
and the server will start successfully.
I am not sure why it is throwing an error on the first scenario, seems like a valid cipher list to me (And works with openssl).
Change History (2)
comment:1 by , 5 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 5 years ago
Thanks for the reply and pointing to #1529. After reading #1529 I see what you mean. I echo the one user's comments that the Nginx documentation should be updated to reflect that the 'ssl_ciphers' directive only applies to TLSv1.2 and earlier and TLSv1.3 ciphers are enabled by default.
Part of the issue too was I was running 'openssl ciphers TLSv1.3' on an Ubuntu Bionic system that was using OpenSSL v1.1.1, which does in fact return a valid list of TLSv1.3 ciphers. On this version you could also run 'openssl ciphers gibberish' and it would return the same result. Even though 'gibberish' is not a valid cipher string, the TLSv1.3 ciphers are always returned. This behavior changed in openssl 1.1.1b (https://github.com/openssl/openssl/pull/7759). On v1.1.1.b or later, now running 'openssl ciphers TLSv1.3' or 'openssl ciphers jibberish' now returns the error as seen above of 'no cipher match'.
OpenSSL does not support "TLSv1.3" as a valid cipher string:
Instead, all TLSv1.3 ciphers are enabled by default, and can be only controlled via a separate API, see #1529. If "TLSv1.3" works as a cipher list for you somewhere, this means that the error returned by SSL_CTX_set_cipher_list() is simply ignored.
In this particular case, there is no need to specify anything in
ssl_ciphers
, as non-TLSv1.3 ciphers won't be used with TLSv1.3 anyway.