MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: Spacedust on 2019-04-28, 17:39:04
-
Please add it. As well as ALPN/HTTP2.
-
I was able to do it myself by compling OpenSSL 1.1.1b and installing nginx from exove repo.
-
Also adding TLS 1.3 early data would be good:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
-
Make sure to check if you latest update for TLS 1.3 does work under CentOS 6.
CentOS 6 is delivered with openssl 1.0.1e which doesn't have TLS 1.3 support.
https://www.cdn77.com/tls-test
-
In new update, webserver configuration already accept for TLS 1.3 for nginx and apache.
-
It doesn't work as nginx has been compiled with OpenSSL 1.0.1e-fips 11 Feb 2013 which doesn't support TLS 1.3. Must be 1.1.1 or higher. Tested on CentOS 6.10.
Check these: https://packages.exove.com/nginx-http2.html
Also hide nginx version: server_tokens off;
nginx version: nginx/1.17.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
-
Yes. Need openssl 1.1.1+ to support TLS1.3.
-
I got OpenSSL 1.1.1b 26 Feb 2019 compiled inside the system, but now the nginx package needs to be recompiled again.
-
Can you compile such package? Should be the same as these exove guys did but with IPv6 support and nginx 1.17.0.
-
I did compile by myself and TLS 1.3 is now working ;-)
We need to make a custom repo for nginx with TLS 1.3 for CentOS 6
https://www.cdn77.com/tls-test
Enabled SSL/TLS protocol versions
TLS 1.3 YES
TLS 1.2 YES
TLS 1.1 YES
TLS 1.0 YES
SSLv3 NO
SSLv2 NO