NGINX - TLS 1.3

Ondra3211 · Apr 24, 2019

nginx/1.14.1
OpenSSL 1.1.1b 26 Feb 2019
Debian 9

I want to try disable TLS 1.3 on my website. This is my config:

NGINX:

server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /var/www/html;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}

In all configurations files I don't have nothing about TLS1.3. I have disabled TLS 1.3 ssl_protocols TLSv1.2; but it's still enabled and I don't know why.

HOW Can I disable TLS 1.3 in nginx?

Alligatoras · Apr 25, 2019

I assume you use cloudflare due to some options you have there? You should disable TLS 1.3 from cloudflare's domain settings.

Ondra3211 · Apr 25, 2019

I am not using Cloudflare

Ondra3211 · Apr 25, 2019

I found the problem! In changelog for nginx 1.14.2 is this:

Code:

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.

LILXJURK · Apr 27, 2019

Ondra3211 said:
I found the problem! In changelog for nginx 1.14.2 is this:

Code:

*) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.

I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.

Use official nginx repo from https://nginx.org/en/linux_packages.html

Ondra3211 · Apr 28, 2019

LILXJURK said:
Use official nginx repo from https://nginx.org/en/linux_packages.html

I want nginx-full. This is only nginx package.

Code:

root@debian:~# apt list -a nginx-full
Listing... Done
nginx-full/stretch-backports,stretch-backports,now 1.14.1-1~bpo9+1 amd64 [installed]
nginx-full/stable,stable 1.10.3-1+deb9u2 amd64

LILXJURK · Apr 28, 2019

Ondra3211 said:
I want nginx-full. This is only nginx package.

Code:

root@debian:~# apt list -a nginx-full Listing... Done nginx-full/stretch-backports,stretch-backports,now 1.14.1-1~bpo9+1 amd64 [installed] nginx-full/stable,stable 1.10.3-1+deb9u2 amd64

Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.

Ondra3211 · Apr 28, 2019

LILXJURK said:
Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.

I installed but there are missing folders. sites-avaiable, sites-enabled. In modules direcotry is nothing

Ondra3211 · Apr 28, 2019

I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:

server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}

On ssllabs is this:

Code:

root@debian:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working

Code:

2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)

Ondra3211 · Apr 29, 2019

Ondra3211 said:

I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:

server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}

On ssllabs is this:
View attachment 1970

Code:

root@debian:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working

Code:

2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)

Can someone help me with this? I have OpenSSL 1.1.1b, nginx/1.16.0, Debian 9 Strech

swarupgolui · May 2, 2019

Ondra3211 said:
Can someone help me with this? I have OpenSSL 1.1.1b, nginx/1.16.0, Debian 9 Strech

Check This
https://github.com/nginxinc/docker-nginx/issues/251

NGINX - TLS 1.3

Ondra3211

Alligatoras

Ondra3211

Ondra3211

LILXJURK

Member

Ondra3211

LILXJURK

Member

Ondra3211

Ondra3211

Ondra3211

swarupgolui

Member