no TLS1.3 with 1.15.5

Sat, 03 Nov 2018 11:14:48 -0700 

Hello, everyone.

I am stuck with a fresh installation which runs absolutely fine except it 
doesn't offer TLS1.3 which is the the biggest reason for updating the server.

Below is some info about my config.

Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic

nginx compile options: nginx/1.15.5 (Ubuntu)
built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx 
--modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf 
--error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid 
--lock-path=/var/run/nginx.lock --user=nobody --group=nogroup --build=Ubuntu 
--builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 
--with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 
--with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module 
--with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module 
--with-http_realip_module --with-http_addition_module 
--with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic 
--with-http_sub_module --with-http_geoip_module=dynamic 
--with-http_auth_request_module --with-http_secure_link_module 
--with-http_degradation_module --with-http_slice_module 
--with-http_stub_status_module --with-http_perl_module=dynamic 
--with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bin/perl 
--http-log-path=/var/log/nginx/access.log 
--http-client-body-temp-path=/var/cache/nginx/client_temp 
--without-http_empty_gif_module --without-http_browser_module 
--without-http_fastcgi_module --without-http_uwsgi_module 
--without-http_scgi_module --without-mail_pop3_module 
--without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic 
--with-stream_ssl_module --with-stream_realip_module 
--with-stream_geoip_module=dynamic --with-stream_ssl_preread_module 
--with-compat --with-debug

/etc/nginx/sites-available/default:

ssl_session_cache shared:SSL:1m;

server {

ssl_early_data on;
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 
TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
ssl_ecdh_curve secp521r1:secp384r1;

}

I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max = 4, that 
is TLS1.3 RFC as far as I know) and ssllabs.com's test says TLSv1.3 is 
non-existent on the server.

Any help would be much appreciated.

Bogdan
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to