TLSv1.3 not working on Fedora 31 and Nginx 1.16.1

stevenzhu · December 5, 2019, 7:55am

You have a default ssl server block setup in your /etc/nginx/nginx.conf file.

server {
      listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/letsencrypt/live/comparelion.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comparelion.com/privkey.pem;
    return 444;
 }

Please either remove that part or add the below line to that server block.
include /etc/letsencrypt/options-ssl-nginx.conf;

Example:

server {
      listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/letsencrypt/live/comparelion.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comparelion.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    return 444;
 }

So if your default server block for ssl doesn’t enable TLS1.3, all other server blocks with TLS1.3 will not work. (Not sure what’s the logic behind that though) My guess is it’ll fallback to default settings (for ciphers and protocols in your case).

After the edit, you might still not have TLS1.3 (But TLS1.1/1.0 should be disabled).

Thanks

Topic		Replies	Views
How to enable TLS 1.3 in nginx configuration? [SOLVED] Help	10	12426	November 18, 2020
TLS 1.3 in nginx Help	11	13944	November 18, 2018
I need to upgrade the protocol to TLSv1.3 Help	5	912	July 21, 2021
Can't seem to enable TLS1.3 Help	30	2029	December 20, 2020
Enable TLS1.0 in Nginx, getting SNI errors, additional cert Help	20	2485	March 8, 2020

TLSv1.3 not working on Fedora 31 and Nginx 1.16.1

Related topics