Hello!

On Thu, Aug 15, 2019 at 09:05:42AM -0400, TC_Hessen wrote:

> Hi,
> 
> I am new to this forum, but not new to nginx. I am running multiple debian
> servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e.
> 
> nginx version: nginx/1.14.1
> built with OpenSSL 1.1.0f  25 May 2017 (running with OpenSSL 1.1.1c  28 May
> 2019)
> TLS SNI support enabled
> 
> To prevent the servers agains the new bugs, I tried to upgrade directly to
> 1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3
> is not running anymore:
> 
> nginx version: nginx/1.17.3
> built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
> built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1c  28 May
> 2019)
> TLS SNI support enabled
> 
> Where is the error?

OS you are using is shipped with OpenSSL 1.1.0j, and nginx is 
built with this old OpenSSL version.  As such, TLSv1.3 is not 
available.

There was a bug which made TLSv1.3 always enabled when was 
compiled with OpenSSL 1.1.0 and running with OpenSSL 1.1.1, it was 
fixed in nginx 1.15.6 and 1.14.2 (quote from 
http://nginx.org/en/CHANGES-1.14):

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

Since you were using nginx 1.14.1 previously, TLS 1.3 was enabled 
due to this bug.

-- 
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to