nginx TLS 1.3 doesn't seem to work
Hello, I was browsing https://onedev.polarian.dev while diagnosing the other SSL issue I was having, and I ave realised that it only supports TLS 1.2, even though I have 1.3 enabled and loaded (confirmed with nginx -t) When I use curl: ~ on ☁ took 2s ❯ curl -vI https://onedev.polarian.dev * Trying 81.187.86.85:443... * Connected to onedev.polarian.dev (81.187.86.85) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN: server accepted http/1.1 * Server certificate: * subject: CN=onedev.polarian.dev * start date: Mar 14 07:49:09 2023 GMT * expire date: Jun 12 07:49:08 2023 GMT * subjectAltName: host "onedev.polarian.dev" matched cert's "onedev.polarian.dev" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * using HTTP/1.1
HEAD / HTTP/1.1 Host: onedev.polarian.dev User-Agent: curl/8.0.1 Accept: */*
< HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.22.1 Server: nginx/1.22.1 < Date: Fri, 24 Mar 2023 12:03:18 GMT Date: Fri, 24 Mar 2023 12:03:18 GMT < Content-Type: text/html;charset=utf-8 Content-Type: text/html;charset=utf-8 < Connection: keep-alive Connection: keep-alive < X-FRAME-OPTIONS: SAMEORIGIN X-FRAME-OPTIONS: SAMEORIGIN < Set-Cookie: JSESSIONID=node0ksf08v71egm01j4p388blz4e012.node0; Path=/; HttpOnly; SameSite=Lax Set-Cookie: JSESSIONID=node0ksf08v71egm01j4p388blz4e012.node0; Path=/; HttpOnly; SameSite=Lax < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Pragma: no-cache Pragma: no-cache < Cache-Control: no-cache, no-store Cache-Control: no-cache, no-store < * Connection #0 to host onedev.polarian.dev left intact I can see that TLS 1.3 is supported, but for some reason during the handshake it settles on TLS 1.2, why? Thank you, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hi Polarian,
I have 1.3 enabled and loaded (confirmed with nginx -t)
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols says TLSv1.3 is not part of the default. Have you used set TLSv1.3 using ssl_protocols in both http{} and server{}? -- Cheers, Ralph.
Hello, Yes I have set it, I have allowed both 1.2 (legacy fallback) and 1.3 (for additional security), all other protocols (before 1.2) are blocked because well, they are just insecure outright. Thank you, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
you should only allow TLS 1.3 and HTTP2 :)
Well, that would be quite counter productive. Especially in the case of onedev, quite a few windows users are using it, windows 10 I believe, and last time I checked microsoft only supports TLS 1.3 on the latest server edition (to make users pay more for security). Therefore providing support for 1.2 is still important! Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hi Polarian,
Well, that would be quite counter productive.
Please follow mailing-list conventions on this list. Here you have not quoted pertinent context. This has been pointed out to you before by me and others. You, the one writer, are wasting the time of us, the many readers, who have to work out what's going on. -- Cheers, Ralph.
On Fri, Mar 24, 2023 at 02:48:12PM +0000, Ralph Corderoy wrote:
Here you have not quoted pertinent context. This has been pointed out to you before by me and others.
With all due respect... It was a response to a *one liner*. There doesn't have to be context. Use a MUA that can show you the thread. Cheers
Hi Reto,
Here you have not quoted pertinent context. This has been pointed out to you before by me and others.
With all due respect... It was a response to a *one liner*. There doesn't have to be context.
Yes there does. Others who emailed me off list to thank me clearly agree.
Use a MUA that can show you the thread.
The earlier emails have been deleted. -- Cheers, Ralph.
That makes it a you problem if you delete context, not a problem of the person replying. Deleting context prior to the thread having ended... well. As always, email is very much a personal preference thing. Everyone uses it a bit differently. But your blanket statement that polarian was somehow infringing basic conventions is not really true is it? There was plenty of context for people. If they deleted that or use say gmail that can't do threads, they should fix their setup ;)
Hi Reto,
That makes it a you problem if you delete context, not a problem of the person replying.
Your view is slightly broken.
Deleting context prior to the thread having ended... well.
How does one know when a thread has ended?
But your blanket statement that polarian was somehow infringing basic conventions is not really true is it?
It is true. There are conventions. Long established. Wise ones. I won't engage further on this issue. It's noise for the list. -- Cheers, Ralph.
Ok this has got out of hand, I was simply asking for help, I did not want a full on argument about when to quote and when to not to quote breaking out within the mailing list, its noisy (and that is coming from the noisiest person within the mailing list). When to quote, and how much to quote is subjective, some people want you to include the entire email conversation, and some people rather just make reference to comments others have made, regardless, its subjective. Ralph obviously prefers to delete emails and not store them in their inbox, its up to them, its their email address! However, on the other hand, if I am replying in a thread, I am not going to quote a conversation when it is clearly implied by the previous email, you have the mailing list archives, and maybe delete the email from your inbox after the thread goes stale? Otherwise you are missing out important information for the conversation which was in previous emails to the mailing list.
Your view is slightly broken.
In your opinion, remember the mailing list have guidelines, not strict rules, everyone has their own ways of writing emails, as long as others can understand them, what is the issue here? And I am aware you can't understand them because you delete the history, but that is an issue you created.
How does one know when a thread has ended?
Rule of thumb? If it goes stale for a week or two, most threads will not be revived at that point. Note to the mailing list operators, OpenBSD mailing list allows you to resend emails which you might have deleted from the list, maybe allow for the redelivery of emails from the archive by pressing a "redeliver" button or something, that would also help with this situation!
It is true. There are conventions. Long established. Wise ones.
I won't engage further on this issue. It's noise for the list.
Subjective once again, some people on the mailing list hate long emails, some people on the mailing list prefer long emails, every mailing list and every person is different. As you say there are conventions, although you should in general stick to them, it is not a warcrime to break them if you do not see the additional effort of quoting something which was implied by the previous email. Now can we go back to the original topic of getting TLS1.3 working? -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
On 3/24/23 10:43, Polarian wrote:
Well, that would be quite counter productive. Especially in the case of onedev, quite a few windows users are using it, windows 10 I believe, and last time I checked microsoft only supports TLS 1.3 on the latest server edition (to make users pay more for security).
Therefore providing support for 1.2 is still important!
Do what works best for you and your web server client user base - different choices to be made for different purposes or needs. As I said "if your web clients are reasonably modern" - if not and they using old tech fine - you need older tech in your web server obviously. Maybe useful, pretty sure Edge 75 was released 3 years ago or so and supports 1.3 just fine. Don't know anything about onedev nor anyone that uses it so no views on that at all. Everyone should do whats best for their own situation. have good day.
El vie, 24-03-2023 a las 12:06 +0000, Polarian escribió:
Hello,
Hi!
[..]
I can see that TLS 1.3 is supported, but for some reason during the handshake it settles on TLS 1.2, why?
Take a look at this: https://ssl-config.mozilla.org/ It is a very good and very powerful tool that allows you to choose which SSL level you want and gives you the nginx configuration (among others) for it. Greetings. PS: I recommend the intermediate level which gives a very good level of security with a good backward compatibility. -- Óscar García Amor | ogarcia at moire.org | http://ogarcia.me
On 3/24/23 09:20, Óscar García Amor wrote:
PS: I recommend the intermediate level which gives a very good level of security with a good backward compatibility.
That is a good choice in general. If you know your web clients are reasonably 'modern' then the modern setting is a great choice as well. I use the modern setting. I am happy to not worry about clients which are 5 or more years old - they should update :) Side issue - sslabs still penalizes 1.3 only web servers for not having fallback to older protocols. I take this more about compatibility with older clients and not about security - perhaps obviously so. gene
Hello, I have almost all of these settings already, the only thing I do not have is the cyphers listed. Could the reason be that nginx is trying to use 1.2 cyphers while having 1.3 enabled? Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
participants (6)
-
Genes Lists
-
JustKidding
-
Polarian
-
Ralph Corderoy
-
Reto
-
Óscar García Amor