I run nginx 1.17.1 + openssl 1.1.1c on linux.
I typically configure recommended defaults for SSL usage, and it "just works",
with ssllabs reporting my sites as healthy with an "A+", fwiw.
Now, I'm currently working setting up a local-only server, attempting to get it
to use TLSv1.3/CHACHA20 only.
So I'm trying to tighten down restrictions in config. With my attempted
restrictions in place, I've found that I'm apparently NOT using
TLSv1.3/CHACHA20.
The current test setup follows; I'm not clear where the problem is -- in nginx,
openssl, or my config of either/both. I'm _guessing_ it's my usage/config ...
I've installed
which openssl
/usr/local/openssl/bin/openssl
openssl version
OpenSSL 1.1.1c 28 May 2019
nginx is built with/linked to this version
nginx -v
nginx version: nginx/1.17.1
ldd `which nginx` | grep ssl
libssl.so.1.1 => /usr/local/openssl/lib64/libssl.so.1.1
(0x00007f95bdc09000)
libcrypto.so.1.1 => /usr/local/openssl/lib64/libcrypto.so.1.1
(0x00007f95bd6f9000)
With this nginx config
server {
listen 10.0.1.20:443 ssl http2;
server_name test.dev.lan;
root /data/webapps/nulldir;
index index.html;
rewrite_log on;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log info;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305";
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate
"/usr/local/etc/ssl/myCA/myCA.chain.crt.pem";
ssl_certificate
"/usr/local/etc/ssl/test/test.ec.crt.pem";
ssl_certificate_key
"/usr/local/etc/ssl/test/test.ec.key.pem";
location / {
}
}
config check is ok,
nginxconfcheck
nginx: the configuration file /usr/local/etc/nginx/nginx.conf
syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test
is successful
and I see a TLS 1.3 handshake,
openssl s_client -connect 10.0.1.20:443 -CAfile
/usr/local/etc/ssl/myCA/myCA.chain.crt.pem
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 O = dev.lan, OU = myCA, L = NewYork, ST = NY, C = US,
emailAddress = ad...@dev.lan, CN = myCA_ROOT
verify return:1
depth=1 C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT,
emailAddress = ad...@dev.lan
verify return:1
depth=0 C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA,
CN = test.dev.lan, emailAddress = ad...@dev.lan
verify return:1
---
Certificate chain
0 s:C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN =
test.dev.lan, emailAddress = ad...@dev.lan
i:C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT,
emailAddress = ad...@dev.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEhjCCBAygAwIBAgICELAwCgYIKoZIzj0EAwIwgbAxCzAJBgNVBAYTAlVTMQsw
...
VHldKgTNpiGuFA==
-----END CERTIFICATE-----
subject=C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA,
CN = test.dev.lan, emailAddress = ad...@dev.lan
issuer=C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT,
emailAddress = ad...@dev.lan
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1565 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
CA79B0596A2CCF19BBA9A49E086F99E7F811FAC8349888E37531E46B17FE35A9
Session-ID-ctx:
Resumption PSK:
9966170E5086490D231260B15CDA6852D0CCDED661D1C075BF0DE3334C89472B158F2524282DD5F1175381B4317D8DC9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6
.I.u.F........Z.
...
00d0 - 49 e4 e0 50 62 3b 45 a5-10 f9 9e 2e 43 09 41 40
I..Pb;E.....C.A@
Start Time: 1563419052
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
1B65B9377224E89FA226C7DC8103E3A57C13798F9FAA0B909BC36E436EE95DC9
Session-ID-ctx:
Resumption PSK:
FEDFC913674474BC83DBE17F4290CA744C92E0763B450C6C489724442E2B2C6F14849A6910356B7ADFFEA3D03D2E7931
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6
.I.u.F........Z.
...
00d0 - c9 d0 19 a1 00 6d 72 37-f7 f4 39 6b dd 48 4d cf
.....mr7..9k.HM.
Start Time: 1563419052
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
but the cipher used is
TLS_AES_256_GCM_SHA384
NOT either of the CHACHA20 options,
TLS-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY130
And, if I change nginx to be 'TLSv1.3-only',
- ssl_protocols TLSv1.3 TLSv1.2;
- ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
+ ssl_protocols TLSv1.3;
+ ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256";
even the webserver config check FAILs,
nginxconfcheck
TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test
failed
and the server fails to start.
So I _see_ two issues,
(1) when the webserver config passes, with not-just-TLS1.3 ciphers enabled in
the config, I get an SSL connection, using TLS1.3, but NOT the hoped-for
CHACHA20 ciphers.
(2) when I list ONLY TLS1.3 ciphers, the config check fails, and the server
won't start.
What's preventing the use of a just TLSv1.3 cipherlist? & specifically the
usage of CHACHA20 ciphers in connection?
My config? My cert? other?
I can certainly provide more detail; just not clear what to gather, atm.
