Welcome! Log In Create A New Profile

Advanced

TLS 1.3 not being selected.

Posted by shiz 
shiz
TLS 1.3 not being selected.
June 03, 2018 02:10PM
Hi,

I can't see what I'm doing wrong.

When I visit https://www.cloudflare.com/ with my browser TLS 1.3 is used.

However when I visit my website, TLS 1.2 is selected instead.

My browser (opera 53) has this in its command line: "
--ssl-version-max=tls1.3 --tls13-variant=draft"

Nginx is compiled like this:

nginx version: nginx/1.14.0
built with OpenSSL 1.1.1-pre7 (beta) 29 May 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE
-pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_addition_module --with-http_dav_module --with-http_geoip_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_v2_module --with-http_sub_module
--with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail
--with-mail_ssl_module --with-threads
--add-module=/usr/local/src/nginx/nginx-1.14.0/debian/modules/nginx-auth-pam
--add-module=/usr/local/src/nginx/nginx-1.14.0/debian/modules/nginx-cache-purge
--add-module=/usr/local/src/nginx/nginx-1.14.0/debian/modules/nginx-dav-ext-module
--add-module=/usr/local/src/nginx/nginx-1.14.0/debian/modules/nginx-echo
--add-module=/usr/local/src/nginx/nginx-1.14.0/debian/modules/ngx_http_substitutions_filter_module
--add-module=/usr/local/src/ngx_brotli --with-openssl-opt=enable-tls1_3

testssl.sh does report TLS 1.3:

../testssl.sh -p www.ts-export.com

###########################################################
testssl.sh 3.0beta from https://testssl.sh/dev/
(f426a3b 2018-05-23 15:09:03 -- )

This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on NC-PH-0657-10:./bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")


Start 2018-06-02 21:16:10 -->> 209.188.18.190:443
(www.ts-export.com) <<--

rDNS (209.188.18.190): ts-export.com.
Service detected: HTTP


Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): draft 28, draft 27, draft 26
NPN/SPDY h2, http/1.1 (advertised)
ALPN/HTTP2 h2, http/1.1 (offered)

Done 2018-06-02 21:16:17 [ 9s] -->> 209.188.18.190:443
(www.ts-export.com) <<--


Pertinent part of my configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

ssl_ciphers
'TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!RSA:!MD5:!PSK:!aECDH';
ssl_ecdh_curve secp384r1;



ssl_stapling on;
ssl_stapling_verify on;

Any suggestion?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280017,280017#msg-280017

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
A. Schulze
Re: TLS 1.3 not being selected.
June 03, 2018 04:40PM
Am 03.06.2018 um 13:59 schrieb shiz:
> TLS 1.3 offered (OK): draft 28, draft 27, draft 26

there are different, incompatible versions (drafts) of TLS1.3

Browser and server must implement the same draft version otherwise the browser fall back to TLS1.2.
see https://wiki.openssl.org/index.php/TLS1.3

Andreas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
shiz
Re: TLS 1.3 not being selected.
June 08, 2018 02:10AM
Ah! Thank you very much.

Recompiled with older openssl 1.1.1 pre2 since current browsers implement
draft 23 atm.

It's working now.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280017,280094#msg-280094

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login