Re: nginx 1.17.3 and TLSv1.3
The problem has been solved, thank you very much Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285325,285327#msg-285327 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx 1.17.3 and TLSv1.3
Hello! On Fri, Aug 16, 2019 at 02:15:22PM -0400, benztoy wrote: > I want to run two nginx services on one host. They are nginxA and nginxB > nginxA listening on https443 port. Only the tslv1.3 protocol is available. > The configuration file is as follows: [...] > Server { > Listen 443 ssl; > Server_name localhost; > > Ssl_certificate cert.pem; > Ssl_certificate_key cert.key; > > Ssl_session_cache shared: SSL: 1m; > Ssl_session_timeout 5m; > Ssl_protocols TLSv1.3; So only TLSv1.3 is enabled on the 443 port. [...] > location / { >proxy_pass https://127.0.0.1/; >proxy_ssl_session_reuse off; > } And no proxy_ssl_protocols set for proxying, so it only has TLSv1, TLSv1.1, and TLSv1.2 enabled by default. [...] > But when I visit https://127.0.0.1:444 > Return to 502 Bad Gateway > Among them, nginx serving port 444 has error.log: > SSL_do_handshake() failed (SSL: error:1409442E:SSL > routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) > while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, > request: "GET / HTTP/1.1 ", upstream: "https://127.0.0.1:443/;, host: > "127.0.0.1:444" > > > Dear friends, What is the reason for this? > My first service ssl protocol version of nginxA must be tslv1.3 only. There > is no other lower version. Can I successfully access https://127.0.0.1:444 > by modifying the nginxA or nginxB configuration file? The problem is that you are trying to connect to a TLSv1.3-only port by using the proxy not configured to use TLSv1.3. You have to enable TLSv1.3 in your proxy configuration, something like: proxy_ssl_protocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; should work. See http://nginx.org/r/proxy_ssl_protocols for additional details. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx 1.17.3 and TLSv1.3
I want to run two nginx services on one host. They are nginxA and nginxB nginxA listening on https443 port. Only the tslv1.3 protocol is available. The configuration file is as follows: # #user nobody; Worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; Events { Worker_connections 1024; } Http { Include mime.types; Default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; Sendfile on; #tcp_nopush on; #keepalive_timeout 0; Keepalive_timeout 65; #gzip on; Server { Listen 80; Server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; Location / { Root html; Index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # Error_page 500 502 503 504 /50x.html; Location = /50x.html { Root html; } #代理 the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; #include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { #听 8000; #听 somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # Server { Listen 443 ssl; Server_name localhost; Ssl_certificate cert.pem; Ssl_certificate_key cert.key; Ssl_session_cache shared: SSL: 1m; Ssl_session_timeout 5m; Ssl_protocols TLSv1.3; Ssl_ciphers TLS13-AES-128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; Ssl_prefer_server_ciphers on; Location / { Root html; Index index.html index.htm; } } } ### nginxB listening on the https444 port. Just provide the proxy function, redirect to the https443 port(nginxA), and only provide the tslv1.3 protocol, the configuration file is as follows: ### #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pidlogs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfileon; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { #proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { #root html; #fastcgi_pass 127.0.0.1:9000; #fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; #includefastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { #deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { #listen 8000; #listen somename:8080; #server_name somename
Re: nginx-1.17.3 and TLS v1.3
Hello! On Thu, Aug 15, 2019 at 09:05:42AM -0400, TC_Hessen wrote: > Hi, > > I am new to this forum, but not new to nginx. I am running multiple debian > servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e. > > nginx version: nginx/1.14.1 > built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.1c 28 May > 2019) > TLS SNI support enabled > > To prevent the servers agains the new bugs, I tried to upgrade directly to > 1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3 > is not running anymore: > > nginx version: nginx/1.17.3 > built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) > built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.1c 28 May > 2019) > TLS SNI support enabled > > Where is the error? OS you are using is shipped with OpenSSL 1.1.0j, and nginx is built with this old OpenSSL version. As such, TLSv1.3 is not available. There was a bug which made TLSv1.3 always enabled when was compiled with OpenSSL 1.1.0 and running with OpenSSL 1.1.1, it was fixed in nginx 1.15.6 and 1.14.2 (quote from http://nginx.org/en/CHANGES-1.14): *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled. Since you were using nginx 1.14.1 previously, TLS 1.3 was enabled due to this bug. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.17.3 and TLS v1.3
I suggest you consider investigating Intels' Clear Linux. https://docs.01.org/clearlinux/latest/index.html <https://docs.01.org/clearlinux/latest/index.html> https://docs.01.org/clearlinux/latest/about.html# <https://docs.01.org/clearlinux/latest/about.html#> https://docs.01.org/clearlinux/latest/reference/bundles/bundles.html <https://docs.01.org/clearlinux/latest/reference/bundles/bundles.html> read specifically about swupd and bundles. This is a ’Stateless’ OS In particular to your issues, on Clear Linux you'd install nginx-mainline bundle, all the source packages and dependancies are tested with the bundle before distribution to swupd Example, the nginx-mainline bundle version requires lib-openssl, the and only compatible tested lib-openssl package version will be included. This strategy eliminates all those fragmented dependancy issues every other Linux distro, where you install nginx but you’ve no real idea what openssl version is going to work with it. Admittedly, Clear Linux is a little unfamiliar at first but give it a try, there’s far less headaches to deal with than other the ‘popular’ distros. Apologies for not addressing your issue directly. > On 15 Aug 2019, at 21:05, TC_Hessen wrote: > > Hi, > > I am new to this forum, but not new to nginx. I am running multiple debian > servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e. > > nginx version: nginx/1.14.1 > built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.1c 28 May > 2019) > TLS SNI support enabled > > To prevent the servers agains the new bugs, I tried to upgrade directly to > 1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3 > is not running anymore: > > nginx version: nginx/1.17.3 > built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) > built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.1c 28 May > 2019) > TLS SNI support enabled > > Where is the error? > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,285294,285294#msg-285294 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx-1.17.3 and TLS v1.3
Hi, I am new to this forum, but not new to nginx. I am running multiple debian servers (stretch) with nginx 1.14.1 and TLS 1.3 support, i.e. nginx version: nginx/1.14.1 built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.1c 28 May 2019) TLS SNI support enabled To prevent the servers agains the new bugs, I tried to upgrade directly to 1.17.3 provided by nginx.org. That works without any problems, but TLS 1.3 is not running anymore: nginx version: nginx/1.17.3 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.1c 28 May 2019) TLS SNI support enabled Where is the error? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285294,285294#msg-285294 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.17.3
> для мобильных клиентов есть (уже) TLS1.3 + early data, TFO (tcp fast > open). > пользуетесь ? TLS1.3 - да early data, TFO - нет, у нас проблема с частыми обрывами конекта в WebSocket, мобил клиенты этому сильно подвержены, из-за TCP... Posted at Nginx Forum: https://forum.nginx.org/read.php?21,285238,285251#msg-285251 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: nginx-1.17.3
вт, 13 авг. 2019 г. в 23:06, S.A.N : > В вашей дорожней карте, для ветки 1,17 есть в планах имплементация QUIC > (HTTP/3), какие ваши оценки по времени это будет готово в этом году. > И если не сложно скажите как вам QUIC там реально много профита для мобил > клиентов, у нас очень много мобил HTTP клиентов и нам эта тема очень > интересна. > для мобильных клиентов есть (уже) TLS1.3 + early data, TFO (tcp fast open). пользуетесь ? > Спасибо. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?21,285238,285245#msg-285245 > > ___ > nginx-ru mailing list > nginx-ru@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-ru ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: [nginx-announce] nginx-1.17.3
Hello Nginx users, Now available: Nginx 1.17.3 for Windows https://kevinworthington.com/nginxwin1173 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) https://kevinworthington.com/ https://twitter.com/kworthington On Tue, Aug 13, 2019 at 1:04 PM Maxim Dounin wrote: > Changes with nginx 1.17.313 Aug > 2019 > > *) Security: when using HTTP/2 a client might cause excessive memory >consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, >CVE-2019-9516). > > *) Bugfix: "zero size buf" alerts might appear in logs when using >gzipping; the bug had appeared in 1.17.2. > > *) Bugfix: a segmentation fault might occur in a worker process if the >"resolver" directive was used in SMTP proxy. > > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx-announce mailing list > nginx-annou...@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.17.3
В вашей дорожней карте, для ветки 1,17 есть в планах имплементация QUIC (HTTP/3), какие ваши оценки по времени это будет готово в этом году. И если не сложно скажите как вам QUIC там реально много профита для мобил клиентов, у нас очень много мобил HTTP клиентов и нам эта тема очень интересна. Спасибо. Posted at Nginx Forum: https://forum.nginx.org/read.php?21,285238,285245#msg-285245 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
[nginx-ru-announce] nginx-1.17.3
Изменения в nginx 1.17.3 13.08.2019 *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное потребление памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Исправление: при использовании сжатия в логах могли появляться сообщения "zero size buf"; ошибка появилась в 1.17.2. *) Исправление: при использовании директивы resolver в SMTP прокси-сервере в рабочем процессе мог произойти segmentation fault. -- Maxim Dounin http://nginx.org/ ___ nginx-ru-announce mailing list nginx-ru-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru-announce
nginx-1.17.3
Changes with nginx 1.17.313 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx-1.17.3
Изменения в nginx 1.17.3 13.08.2019 *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное потребление памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Исправление: при использовании сжатия в логах могли появляться сообщения "zero size buf"; ошибка появилась в 1.17.2. *) Исправление: при использовании директивы resolver в SMTP прокси-сервере в рабочем процессе мог произойти segmentation fault. -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
[nginx] nginx-1.17.3-RELEASE
details: https://hg.nginx.org/nginx/rev/ed4303aa1b31 branches: changeset: 7550:ed4303aa1b31 user: Maxim Dounin date: Tue Aug 13 15:45:56 2019 +0300 description: nginx-1.17.3-RELEASE diffstat: docs/xml/nginx/changes.xml | 40 1 files changed, 40 insertions(+), 0 deletions(-) diffs (50 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,46 @@ + + + + +при использовании HTTP/2 клиент мог вызвать +чрезмерное потребление памяти и ресурсов процессора +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + +when using HTTP/2 a client might cause +excessive memory consumption and CPU usage +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + + + + +при использовании сжатия в логах могли появляться сообщения "zero size buf"; +ошибка появилась в 1.17.2. + + +"zero size buf" alerts might appear in logs when using gzipping; +the bug had appeared in 1.17.2. + + + + + +при использовании директивы resolver в SMTP прокси-сервере +в рабочем процессе мог произойти segmentation fault. + + +a segmentation fault might occur in a worker process +if the "resolver" directive was used in SMTP proxy. + + + + + + ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel