TLSv1.3 not working on Fedora 31 and Nginx 1.16.1

I tried everything I could do to enable TLS 1.3 for my sites, but I failed. Any help from community will be appreciated.

Here’s the SSL config file generated by certbot for my sites

#ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA”;

OpenSSL version:

openssl version -a
OpenSSL 1.1.1d FIPS 10 Sep 2019
built on: Thu Oct 3 00:00:00 2019 UTC
platform: linux-x86_64

Nginx -V output (installed from the RPM)
nginx version: nginx/1.16.1
built by gcc 9.1.1 20190605 (Red Hat 9.1.1-2) (GCC)
built with OpenSSL 1.1.1c FIPS 28 May 2019 (running with OpenSSL 1.1.1d FIPS 10 Sep 2019)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt=’-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection’ --with-ld-opt=’-Wl,-z,relro -Wl,–as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E’

I read somewhere that I should build and install nginx manually with the configuration flag enable-tls1_3 config. I did this. Here’s the output of the same

nginx version: nginx/1.16.1
built by gcc 9.2.1 20190827 (Red Hat 9.2.1-1) (GCC)
built with OpenSSL 1.1.1d FIPS 10 Sep 2019
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt=’-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection’ --with-ld-opt=’-Wl,-z,relro -Wl,–as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E’ --with-openssl-opt=enable-tls1_3

Tools I used to know whether TLS 1.3 is working or not -> testssl, ssllabls, and more
Did I disable SSL cache before testing? Yes, I did

1 Like

Hi,

What’s your domain name?
Do you have a default virtualhost/server block setup for your Nginx that doesn’t use TLS1.3?

Thanks

1 Like

What’s your domain name?

URL --> https://www.websitecrawler.org/

Do you have a default virtualhost setup for your Nginx that doesn’t use TLS1.3?
No, the auto generated certbot file options-ssl-nginx.conf is included in the sever block of each virtualhost.

1 Like

In the file certbot generated, there’s only TLS1.2 and TLS1.3, but your domain also support TLS1.1 and TLS1.0. Are you sure your Nginx used certbot’s configuration file?

Could you please execute the below command and upload the output to a pastebin (or something similar) and share the link?
nginx -T
The above command will dump the nginx server configuration.

Please also try to add the below ciphers for TLS1.3:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Basically your server doesn’t have a TLS1.3 specific cipher, and might not even using the certbot configuration file.

Thanks

1 Like

Here’s the output of nginx -T command >> https://drive.google.com/file/d/1cMstaLEkYEWw__WfrijPGZT51ie9gfOh/view?usp=sharing

1 Like

You have a default ssl server block setup in your /etc/nginx/nginx.conf file.

server {
      listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/letsencrypt/live/comparelion.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comparelion.com/privkey.pem;
    return 444;
 }

Please either remove that part or add the below line to that server block.
include /etc/letsencrypt/options-ssl-nginx.conf;

Example:

server {
      listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/letsencrypt/live/comparelion.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comparelion.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    return 444;
 }

So if your default server block for ssl doesn’t enable TLS1.3, all other server blocks with TLS1.3 will not work. (Not sure what’s the logic behind that though) My guess is it’ll fallback to default settings (for ciphers and protocols in your case).

After the edit, you might still not have TLS1.3 (But TLS1.1/1.0 should be disabled).

Thanks

1 Like

Yes, removing the block fixed the problem. I had added that block because some sites on my server were http only and they were redirecting to https sits when i used to access their https version instead of reporting error. Yesterday, I enabled https for those sites.

Thank you very much :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.