DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th October 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 132
Default [6.8] nginx + TLSv1.3

Hi.

Now on OpenBSD 6.8, we have LibreSSL TLSv1.3 supports by default on client and server.

the version nginx is 1.18.0
Code:
nginx version: nginx/1.18.0
built with LibreSSL 3.2.2
TLS SNI support enabled
configure arguments: --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/lua-nginx-module --add-dynamic-module=/usr/local/lib/phusion-passenger26/src/nginx_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-rtmp-module-1.2.1/ --prefix=/var/www --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-log-path=logs/access.log --error-log-path=logs/error.log --http-client-body-temp-path=/var/www/cache/client_body_temp --http-proxy-temp-path=/var/www/cache/proxy_temp --http-fastcgi-temp-path=/var/www/cache/fastcgi_temp --http-scgi-temp-path=/var/www/cache/scgi_temp --http-uwsgi-temp-path=/var/www/cache/uwsgi_temp --user=www --group=www --with-http_auth_request_module --with-http_dav_module --with-http_image_filter_module=dynamic --with-http_gzip_static_module --with-http_gunzip_module --with-http_perl_module=dynamic --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_ssl_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/naxsi/naxsi_src/ --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_devel_kit --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/headers-more-nginx-module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/nginx-auth-ldap --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_http_geoip2_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_http_hmac_secure_link_module
On my domains, for the TLS, I configure those options:

Code:
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.3 TLSv1.2
The "nginx -t" return OK.

But when I attempt to claim connection only TLSv1.3, I have errors. Boo...

Code:
$ openssl s_client -tls1_3 -connect stephane-huc.net:443
CONNECTED(00000003)
139956876985664:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 240 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

$ curl -I4 -v --tlsv1.3 --tls-max 1.3 https://stephane-huc.net
*   Trying 88.136.16.221:443...
* Connected to stephane-huc.net (88.136.16.221) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, protocol version (582):
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

$ curl -I6 -v --tlsv1.3 --tls-max 1.3 https://stephane-huc.net
*   Trying 2001:470:cc33::3:443...
* Connected to stephane-huc.net (2001:470:cc33::3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, protocol version (582):
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
  #2   (View Single Post)  
Old 18th October 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 132
Default

OK, after reading this mail, I understand the reason:

https://marc.info/?t=160301350900001&r=1&w=2

Sniff!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
Reply

Tags
nginx, openbsd, tlsv1.3

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Nginx on OpenBsd PapaParrot OpenBSD Packages and Ports 3 20th September 2017 11:42 PM
non-chroot nginx/php-fpm Oko OpenBSD Packages and Ports 1 25th December 2015 12:06 PM
php nginx mysql montie OpenBSD Packages and Ports 6 28th November 2014 04:26 AM
Nginx 1.2.7 released J65nko News 0 13th February 2013 11:54 PM
About perdition and nginx satimis General software and network 3 10th December 2008 12:53 PM


All times are GMT. The time now is 04:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick