Question NGINX - TLS 1.3

Ondra3211

Member
Joined
May 5, 2018
Messages
35
Points
41
Location
Czech Republic
nginx/1.14.1
OpenSSL 1.1.1b 26 Feb 2019
Debian 9


I want to try disable TLS 1.3 on my website. This is my config:
NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /var/www/html;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
In all configurations files I don't have nothing about TLS1.3. I have disabled TLS 1.3 ssl_protocols TLSv1.2; but it's still enabled and I don't know why.
HOW Can I disable TLS 1.3 in nginx?
 
Last edited:

Alligatoras

Administrator
Joined
Mar 31, 2016
Messages
2,043
Points
326
Age
25
Location
Greece
I assume you use cloudflare due to some options you have there? You should disable TLS 1.3 from cloudflare's domain settings.
 

Ondra3211

Member
Joined
May 5, 2018
Messages
35
Points
41
Location
Czech Republic
I found the problem! In changelog for nginx 1.14.2 is this:
Code:
    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.
I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.
 
Last edited:

LILXJURK

Member
Joined
Dec 21, 2016
Messages
3
Points
33
Age
20
I found the problem! In changelog for nginx 1.14.2 is this:
Code:
    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.
I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.
Use official nginx repo from https://nginx.org/en/linux_packages.html
 

LILXJURK

Member
Joined
Dec 21, 2016
Messages
3
Points
33
Age
20
I want nginx-full. This is only nginx package.
Code:
[email protected]:~# apt list -a nginx-full
Listing... Done
nginx-full/stretch-backports,stretch-backports,now 1.14.1-1~bpo9+1 amd64 [installed]
nginx-full/stable,stable 1.10.3-1+deb9u2 amd64
Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.
 

Ondra3211

Member
Joined
May 5, 2018
Messages
35
Points
41
Location
Czech Republic
Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.
I installed but there are missing folders. sites-avaiable, sites-enabled. In modules direcotry is nothing
 

Ondra3211

Member
Joined
May 5, 2018
Messages
35
Points
41
Location
Czech Republic
I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
On ssllabs is this:
1970
Code:
[email protected]:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working
Code:
2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
 
Last edited:

Ondra3211

Member
Joined
May 5, 2018
Messages
35
Points
41
Location
Czech Republic
I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
On ssllabs is this:
View attachment 1970
Code:
[email protected]:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working
Code:
2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
Can someone help me with this? I have OpenSSL 1.1.1b, nginx/1.16.0, Debian 9 Strech
 

Top