TLS 1.3 not working on nginx

1

I have the following configuration:

# SSL certificates
ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;

# Diffie-Hellman parameters for DHE cipher suites
ssl_dhparam /etc/nginx/dhparams.pem;

# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# Protocols
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256::ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/letsencrypt/live/domain/fullchain.pem;

which I include in the website configuration files with the include directive of ngninx. The problem is that while the website is fully working with secure connection, TLS 1.3 is not enabled and having tested it with openssl s_client -connect www.dimain.com:443 it sends this:

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

What could the problem here?

Update

Problem solved! I was using the latest build from the ofician mainline repo from nginx, but this was built with OpenSSL v1.1.0, so I built nginx with OpenSSL from source and everything now works fine!

dim23

Posted 2019-07-07T07:23:10.547

Reputation: 11

1Unfortunately your question is sparse on the relevant details. Please make sure that you have a version of nginx supporting TLS 1.3 which is both compiled and linked against a version of OpenSSL 1.1.1 - which currently means for most distributions that you cannot use the pre-build nginx but have to compile everything yourself. Check the error log in nginx. Make sure your openssl s_client supports TLS 1.3 too, i.e. is also OpenSSL 1.1.1. – Steffen Ullrich – 2019-07-07T08:12:24.387

I compiled latest nginx with the latest openssl release an now I have TLS 1.3 support. Thanks! – dim23 – 2019-07-07T09:01:22.307

See also nginx 1.15.10 - TLSv1.3 doesn't get applied despite the config.

– Steffen Ullrich – 2019-07-07T09:45:11.013

@dim23 please move that update to an answer – Sathyajith Bhat – 2019-07-07T12:14:21.483

Answers

0

You've found the answer in compiling NGINX with latest OpenSSL.

However, compiling software that is meant for the web is all sorts of bad practice in terms of security:

  • compilation software scattered around your system poses a security risk
  • updating to next (potentially more secure with recent fixes) version of NGINX will require a recompilation, and longer downtime if not made carefully

There are pre-built NGINX versions with the latest OpenSSL that you can find online, which might be a better option.

E.g. for CentOS/RHEL 6,7 and 8, there is NGINX-MOD. Aside from TLS 1.3, it is patched with Cloudflare full HPACK support as well as dynamic TLS records feature.

Danila Vershinin

Posted 2019-07-07T07:23:10.547

Reputation: 113

Thanks you for the clarification! – dim23 – 2019-07-08T09:23:26.757

Asked: 2019-07-07T07:23:10.547

Viewed: 413 times

Active: 2019-07-07T21:00:51.423