nginx 1.14 with openssl 1.1 on e.g. ubuntu 18.04 supports TLS 1.3

[ghost]

Hi,

see $Subject: the guide does not generate a working TLS 1.3 config for this combination of webserver and ssl lib:

https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1&guideline=5.6

Is there a reason for that?

it only generates an "intermediate" config with TLS 1.2, but without 1.3 support.

the "modern" variant doesn't get generated.

unfortunately, nginx 1.14.0 and OpenSSL 1.1 does not support the modern configuration

however in my tests this works just fine:

curl -vv $my_https_host_with_above_spec
[..]
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

I find this somehow misleading/confusing.

Any pointers would be appreciated. What's the reasoning for this?

As far as I understand TLS, 1.3 is strictly superior to TLS 1.2, no?

Thanks in advance

[gene1wood]

According to OpenSSL "The OpenSSL 1.1.1 release includes support for TLSv1.3" and so we set the minimum required version of OpenSSL to 1.1.1 for TLS 1.3.

You mention you're running OpenSSL 1.1 which I don't see as a valid OpenSSL version. Can you run openssl version to confirm that you're running 1.1?

[ghost]

my bad, it is indeed running 1.1.1 and I can confirm, that the config generator adds TLS 1.3 when queried that way.

However: if 1.1 is not a valid version, the form should maybe reject it? it is currently not rejected as an invalid version number.

Thanks for your fast reply!

[gene1wood]

the form should maybe reject it

Ya, that would be nice, we don't currently have the list of all valid versions for the various webservers to be able to reject bogus versions, PRs are welcome though.