Hello! On Mon, May 04, 2020 at 08:10:38PM +0200, Vincent Blondel wrote:
> I just copy/pasted/replaced the content of my openssl.conf with the > proposal in this mail ... still OK with tslv1.2 and NOK with tlsv1.3 ... > > openssl is up to date and seems working fine ... Some things to consider: - Make sure the openssl.conf you are editing is the one which is actually used. No errors are produced if loading openssl conf fails, and this somewhat complicates things. Given that your first message in this thread suggests you are trying to do this on Windows, trying to use variables when starting nginx might complicate things. Also it might not be trivial to trace if the file is actually used (on unix you can use things like ktrace / strace / truss). - Make sure there are no non-text things in the openssl.conf such as byte order marks. Some editors tend to add them, and this often breaks things. - Make sure you are testing things correctly. Testing cipher preference, especially for TLSv1.3 ciphers, might be non-trivial. Simplier test might be to disable some Ciphersuites in the openssl.conf, and make sure these are actually disabled. And once you see them disabled, start playing with PrioritizeChaCha. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
