On Wed, Aug 24, 2022 at 4:25 PM Fabiano Furtado Pessoa Coelho <fusc...@gmail.com> wrote: > > Hi... > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > with one NIC and 2 IPs, with the following config: > > * config based on > https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6 > > 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled): > > server { > listen 10.0.0.1:443 ssl http2; > server_name secure.example.com; > > ssl_session_cache shared:SSL_intermediate:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1.2 TLSv1.3; > ssl_ciphers > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers off; > ... > } > > 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled): > > server { > listen 10.0.0.2:443 ssl http2; > server_name insecure.example.com; > > ssl_session_cache shared:SSL_old:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; > ssl_prefer_server_ciphers on; > ... > } > > > $ netstat -nlpt | grep nginx | sort > tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN > 1337/nginx: master p > tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN > 1337/nginx: master p > > > Trying TLS 1.0: > > $ openssl s_client -connect insecure.example.com:443 -tls1 > CONNECTED(00000003) > 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371345 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Trying TLS 1.1: > > $ openssl s_client -connect insecure.example.com:443 -tls1_1 > CONNECTED(00000003) > 00FC0A99AB7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371360 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? > > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? > > I have separated the "ssl_protocols" by IP and there is no others > "ssl_protocols" directives configured outside of server{} block. > > Thanks.
The HTTP/2 spec says TLS 1.2 when using secure sockets. See https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-http2-17#section-9.2 . Jeff _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
