|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
[6.8] nginx + TLSv1.3
Hi.
Now on OpenBSD 6.8, we have LibreSSL TLSv1.3 supports by default on client and server. the version nginx is 1.18.0 Code:
nginx version: nginx/1.18.0 built with LibreSSL 3.2.2 TLS SNI support enabled configure arguments: --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/lua-nginx-module --add-dynamic-module=/usr/local/lib/phusion-passenger26/src/nginx_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-rtmp-module-1.2.1/ --prefix=/var/www --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-log-path=logs/access.log --error-log-path=logs/error.log --http-client-body-temp-path=/var/www/cache/client_body_temp --http-proxy-temp-path=/var/www/cache/proxy_temp --http-fastcgi-temp-path=/var/www/cache/fastcgi_temp --http-scgi-temp-path=/var/www/cache/scgi_temp --http-uwsgi-temp-path=/var/www/cache/uwsgi_temp --user=www --group=www --with-http_auth_request_module --with-http_dav_module --with-http_image_filter_module=dynamic --with-http_gzip_static_module --with-http_gunzip_module --with-http_perl_module=dynamic --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_ssl_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/naxsi/naxsi_src/ --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_devel_kit --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/headers-more-nginx-module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/nginx-auth-ldap --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_http_geoip2_module --add-dynamic-module=/usr/obj/ports/nginx-1.18.0/nginx-1.18.0/ngx_http_hmac_secure_link_module Code:
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_protocols TLSv1.3 TLSv1.2 But when I attempt to claim connection only TLSv1.3, I have errors. Boo... Code:
$ openssl s_client -tls1_3 -connect stephane-huc.net:443 CONNECTED(00000003) 139956876985664:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 240 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- $ curl -I4 -v --tlsv1.3 --tls-max 1.3 https://stephane-huc.net * Trying 88.136.16.221:443... * Connected to stephane-huc.net (88.136.16.221) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS alert, protocol version (582): * error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version * Closing connection 0 curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version $ curl -I6 -v --tlsv1.3 --tls-max 1.3 https://stephane-huc.net * Trying 2001:470:cc33::3:443... * Connected to stephane-huc.net (2001:470:cc33::3) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS alert, protocol version (582): * error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version * Closing connection 0 curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733 |
|
|||
OK, after reading this mail, I understand the reason:
https://marc.info/?t=160301350900001&r=1&w=2 Sniff!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733 |
Tags |
nginx, openbsd, tlsv1.3 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Nginx on OpenBsd | PapaParrot | OpenBSD Packages and Ports | 3 | 20th September 2017 11:42 PM |
non-chroot nginx/php-fpm | Oko | OpenBSD Packages and Ports | 1 | 25th December 2015 12:06 PM |
php nginx mysql | montie | OpenBSD Packages and Ports | 6 | 28th November 2014 04:26 AM |
Nginx 1.2.7 released | J65nko | News | 0 | 13th February 2013 11:54 PM |
About perdition and nginx | satimis | General software and network | 3 | 10th December 2008 12:53 PM |