Responsive image

After bashing my brain in with a brick (metaphorically, that is), I have finally figured out how to set the TLSv1.3 Cipher Suite order for my web server.

So a little bit about my set up.

I’m using Nginx (mainline) 1.17.3, OpenSSL 1.1.1c (28 May 2019), and I’m on Debian 10.

The problem is that, even though Nginx has ssl_ciphers to configure the SSL cipher order, this only applies to SSL ciphers for TLSv1.2 and lower.

However, without configuring Nginx the SSL cipher suite order for TLSv1.3 can be configured; however, it involves updating your /etc/ssl/openssl.cnf file.

I found this solution here.

Basically add the following to your /etc/ssl/openssl.cnf (your path may vary on other Linux distributions):

    [default_conf]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    CipherSuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
    Options = ServerPreference

This should go above the [ new_oids ] section.

I discovered this via this blog post.

Every time you update your /etc/ssl/openssl.cnf you will need to restart Nginx for it to recognize the change on your system.

Then you can test it via SSLLabs, or via the wonderful tool, testssl.sh.

My Nginx configuration file has:

    ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;

The realization that Nginx wasn’t going to allow me to configure the SSL cipher suites for TLSv1.3 came from coming across this.


Comments

comments powered by Disqus


~ About me ~
I am a human who enjoys writing code.
~ Follow me ~
~ GitHub Recent Activity ~

Status updating...

~ Interesting Links ~