NGINX - TLS 1.3

Ondra3211

Contributor
May 5, 2018
65
37
71
nginx/1.14.1
OpenSSL 1.1.1b 26 Feb 2019
Debian 9


I want to try disable TLS 1.3 on my website. This is my config:
NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /var/www/html;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
In all configurations files I don't have nothing about TLS1.3. I have disabled TLS 1.3 ssl_protocols TLSv1.2; but it's still enabled and I don't know why.
I1hgMoqYyy.png
HOW Can I disable TLS 1.3 in nginx?
 
Last edited:

Alligatoras

Administrator
Mar 31, 2016
2,570
12
2,857
381
I assume you use cloudflare due to some options you have there? You should disable TLS 1.3 from cloudflare's domain settings.
 

Ondra3211

Contributor
May 5, 2018
65
37
71
I found the problem! In changelog for nginx 1.14.2 is this:
Code:
    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.
I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.
 
Last edited:

LILXJURK

Member
Dec 21, 2016
3
0
33
I found the problem! In changelog for nginx 1.14.2 is this:
Code:
    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.
I have nginx 1.14.1 so it's a just bug. How Can I update my nginx to newer vesion 1.14.2?

EDIT: I can't find any repo for Debian 9 strech. I want nginx-full latest but nothing on the internet.

Use official nginx repo from https://nginx.org/en/linux_packages.html
 

LILXJURK

Member
Dec 21, 2016
3
0
33
I want nginx-full. This is only nginx package.
Code:
root@debian:~# apt list -a nginx-full
Listing... Done
nginx-full/stretch-backports,stretch-backports,now 1.14.1-1~bpo9+1 amd64 [installed]
nginx-full/stable,stable 1.10.3-1+deb9u2 amd64

Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.
 

Ondra3211

Contributor
May 5, 2018
65
37
71
Nginx from official repo is already build with all modules. You can read about it on Dynamic Module section. You don’t need to have a nginx-full package from Debian repo. Give it a try, if any package will be missin you can always add them or rebuild a nginx source with them.
I installed but there are missing folders. sites-avaiable, sites-enabled. In modules direcotry is nothing
UdxvHrD.png
 

Ondra3211

Contributor
May 5, 2018
65
37
71
I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
On ssllabs is this:
1970
Code:
root@debian:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working
Code:
2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
 
Last edited:

Ondra3211

Contributor
May 5, 2018
65
37
71
I put my config to conf.d directory and reloaded nginx without any errors. I have installed nginx 1.16.0. This is my virtual host config:
Restarted without any errors and this is in my config ssl_protocols TLSv1.3 TLSv1.2;

NGINX:
server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot
    server_name domain.tld www.domain.tld;
    index index.html index.htm index.php;
    root /usr/share/nginx/web;
    error_page 404 /404.html;
    listen 443 http2 ssl;
    ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;

      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ecdh_curve secp521r1:secp384r1;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
      resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
      resolver_timeout 5s;

    location /beta {
        auth_basic "Administrator Login";
        auth_basic_user_file /var/www/web/beta/.htpasswd;
    }


}server {
    if ($host = www.domain.tld) {
        return 301 https://domain.tld$request_uri;
    } # managed by Certbot


    if ($host = domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name domain.tld www.domain.tld;
    return 404; # managed by Certbot




}
On ssllabs is this:
View attachment 1970
Code:
root@debian:~# openssl s_client -connect domain.tld:443 -tls1_3
CONNECTED(00000003)
139660857135360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And this cipher suite not working
Code:
2019/04/28 13:51:46 [emerg] 18256#18256: SSL_CTX_set_cipher_list("TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
Can someone help me with this? I have OpenSSL 1.1.1b, nginx/1.16.0, Debian 9 Strech
 
Top