Hi Don't you need a openssl that works with 1.3 as well. My sticking point is centos 6 - no openssl that comes with 1.3 - as far as i know
A On Mon, 5 Nov 2018 at 06:10, Bogdan via nginx <[email protected]> wrote: > Hi, Andreas! > > > I disabled NPN (Next Protocol Negotiation) because, as far as I know (not > very far and it comes from what I've read, since I am not an expert), ALPN > with HTTP/2 is more efficient and offers lower latency. Google also dropped > support for NPN in their Chrome browser. > > Indeed I tried to disable as many lines as possible, but the compiling > options for nginx weren't the culprit. The distribution's openssl was also > compiled from scratch (v1.1.1), so there was no chance that on my system I > was been using versions of software which were not able to offer TLS1.3 > support. > > The problem was that in /etc/nginx/nginx.conf I had this line which I > missed: > > ssl_protocols TLSv1.2; > > It was a configuration error on my part, so updating the line as follows > solved the problem: > > ssl_protocols TLSv1.2 TLSv1.3; > > A great trouble for a only a few missing characters, but once the trouble > is gone, the server runs greatly. :) > > > > Thank you for your suggestions! > > Bogdan > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Sunday, November 4, 2018 2:31 PM, A. Schulze <[email protected]> > wrote: > > > Am 03.11.18 um 19:14 schrieb Bogdan via nginx: > > > > > Hello, everyone. > > > I am stuck with a fresh installation which runs absolutely fine except > it doesn't offer TLS1.3 which is the the biggest reason for updating the > server. > > > Below is some info about my config. > > > Distribution: Ubuntu 18.04 server with kernel 4.15.0-38-generic > > > nginx compile options: nginx/1.15.5 (Ubuntu) > > > built by gcc 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04) > > > built with OpenSSL 1.1.1 11 Sep 2018 > > > TLS SNI support enabled > > > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx > --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf > --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid > --lock-path=/var/run/nginx.lock --user=nobody --group=nogroup > --build=Ubuntu --builddir=nginx-1.15.5 --with-openssl=../openssl-1.1.1 > --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 > --with-openssl-opt=no-nextprotoneg --with-select_module --with-poll_module > --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module > --with-http_realip_module --with-http_addition_module > --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic > --with-http_sub_module --with-http_geoip_module=dynamic > --with-http_auth_request_module --with-http_secure_link_module > --with-http_degradation_module --with-http_slice_module > --with-http_stub_status_module --with-http_perl_module=dynamic > --with-perl_modules_path=/usr/share/perl/5.26.1 > > > --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log > --http-client-body-temp-path=/var/cache/nginx/client_temp > --without-http_empty_gif_module --without-http_browser_module > --without-http_fastcgi_module --without-http_uwsgi_module > --without-http_scgi_module --without-mail_pop3_module > --without-mail_imap_module --without-mail_smtp_module --with-stream=dynamic > --with-stream_ssl_module --with-stream_realip_module > --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module > --with-compat --with-debug > > > > Hello Bogdan, > > > > while I have not really a helpful suggestion for you I noticed you > disabled "nextprotoneg" for openssl. > > May I kindly ask why you do so? > > > > > /etc/nginx/sites-available/default: > > > ssl_session_cache shared:SSL:1m; > > > server { > > > ssl_early_data on; > > > > that one I did not know, so thanks for the hint. > > > > > ssl_dhparam /etc/nginx/ssl/dh4096.pem; > > > ssl_session_timeout 5m; > > > ssl_stapling on; > > > ssl_stapling_verify on; > > > ssl_prefer_server_ciphers on; > > > ssl_protocols TLSv1.2 TLSv1.3; > > > ssl_ciphers > TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA; > > > ssl_ecdh_curve secp521r1:secp384r1; > > > > try to disable as many option as possible. I would start leaving > ssl_dhparam, stapling, ciphers and curve options on defaults. > > > > > } > > > I can't reach beyond TLS1.2 with Firefox 63 (security.tls.version.max > = 4, that is TLS1.3 RFC as far as I know) and ssllabs.com's test says > TLSv1.3 is non-existent on the server. > > > > Also using "openssl s_client" is a good method for measurement. > > > > > Any help would be much appreciated. > > > > are you sure, nginx is really not build against distribution's openssl > not supporting TLS1.3? > > > > > Bogdan > > > > Good luck! > > Andreas > > > > nginx mailing list > > [email protected] > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
