Piling on this, I built nginx-1.14.0 from source with openssl-1.1.1-pre5 compiled in.
The macro in the header says it’s at TLS 1.3 Draft 26 Chrome 66 claims to support Draft 23 (via chrome://flags <chrome://flags>)? Neither Cloudflare nor Chrome report TLS 1.3 Yet when I do this from the command line for testing (openssl s_client host:443 <http://7layers.semperen.com:443/>) I get New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 384 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 ssl_ciphers are set to TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128 -CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:ECD HE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECD HE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AE S128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:HIG H:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; My questions: 1. Do the drafts try to negotiate to a common draft? 2. the server is compiled statically to the source for openssl that the openssl command is executed from. I’d think they would be able to negotiate the first protocol listed. 3. Why does the protocol come up (even with the openssl command) as TLS_AES_256_GCM_SHA384 and not the TLS13 variants? ChaCha20-Poly1305 works in TLS1.2 just fine. Thoughts? EKG > On Apr 17, 2018, at 1:45 PM, Reinis Rozitis <[email protected] > <mailto:[email protected]>> wrote: > >> Is there any reason why SSLlabs would report only 1.2 as being available >> despite the config showing otherwise ? > > Also SSLLabs supports only tls 1.3 draft18 while for example OpenSSL > 1.1.1pre4 is draft 28, so it won't show that the server supports tls1.3. > > rr > > _______________________________________________ > nginx mailing list > [email protected] <mailto:[email protected]> > http://mailman.nginx.org/mailman/listinfo/nginx
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
