r-love
commented
7 years ago FYI I'm seeing this too with nginx 1.13.0 and openssl HEAD from today.
Closed Night1 closed 7 years ago
r-love
commented
7 years ago FYI I'm seeing this too with nginx 1.13.0 and openssl HEAD from today.
Night1
commented
7 years ago I've been seeing this issue for a while atleast 2-3 weeks, at first I thought it was related this this(1). In fact it might still be.
fyi, I also upgraded nginx to 1.13.0 now with OpenSSL_1_1_0-pre6-2248-g7531b3a6c issue precisest
1) https://mta.openssl.org/pipermail/openssl-dev/2017-March/009146.html
grahamedgecombe
commented
7 years ago It's a bug in OpenSSL, I've submitted a PR: https://github.com/openssl/openssl/pull/3310
Night1
commented
7 years ago Great @grahamedgecombe Thank you for quick response :)
grahamedgecombe
commented
7 years ago Fix has been merged into OpenSSL's master branch, closing
Night1
commented
7 years ago Great work, thank you. I've tested and it works.
Hey,
Litte bug report , that took some time to trace down to ct,
I'm running a test server with TLSv1.3 and with the latest few post draft 19 off TLSv1.3 implementation of TLSv1.3 I get server handshake fail in all browsers tested,
However after I comment out ssl_ct in config, site works again
nginx build options
nginx version: nginx/1.11.13 built by gcc 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=../openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_geoip_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream --with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic
Is there away to get this working again with newest git of OpenSSL? or should one wait untill TLSv1.3 is final? (looks like draft 20 is coming out very soon)