Open Chokoabigail opened 8 months ago
Ideally looking for a version that supports both TLS1.0
and http2
Hi @Chokoabigail!
TLS 1.0 and http2 seem to work fine with nginx:1.25.3
which is Debian-based.
The following configuration confirms:
server {
server_name _;
listen 443 ssl;
http2 on;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/key.pem;
ssl_ciphers 'DEFAULT@SECLEVEL=0';
location / { return 200 'OK - $ssl_protocol - $ssl_cipher\n'; }
}
And testing with curl from inside the image:
# curl --ciphers 'DEFAULT@SECLEVEL=0' --tls-max 1.0 https://127.0.0.1:443/ -k
OK - TLSv1 - ECDHE-RSA-AES256-SHA
Hi @Chokoabigail !
Have you been able to figure out the issue with your TLS setup?
Hi @thresheek I'm facing the same issue with nginx 1.27, trying to re-enable TLSv1 and TLSv1.1 in nginx-proxy
The nginx configuration:
# mozilla-old.nginx-proxy.tld/
upstream mozilla-old.nginx-proxy.tld {
# Container: nginx-proxy-old-1
# networks:
# nginx-proxy_default (reachable)
# IP address: 172.22.0.4
# exposed ports (first ten): 80/tcp
# default port: 80
# using port: 80
server 172.22.0.4:80;
}
server {
server_name mozilla-old.nginx-proxy.tld;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'DEFAULT@SECLEVEL=0';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nginx-proxy.tld.crt;
ssl_certificate_key /etc/nginx/certs/nginx-proxy.tld.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://mozilla-old.nginx-proxy.tld;
set $upstream_keepalive false;
}
}
Then from inside the container:
202fd55cb312:/app# curl --ciphers 'DEFAULT@SECLEVEL=0' --resolve mozilla-old.nginx-proxy.tld:443:127.0.0.1 --tls-max 1.0 https://mozilla-old.nginx-proxy.tld -k
curl: (35) OpenSSL/3.3.2: error:0A00042E:SSL routines::tlsv1 alert protocol version
202fd55cb312:/app# curl --ciphers 'DEFAULT@SECLEVEL=0' --resolve mozilla-old.nginx-proxy.tld:443:127.0.0.1 --tls-max 1.1 https://mozilla-old.nginx-proxy.tld -k
curl: (35) OpenSSL/3.3.2: error:0A00042E:SSL routines::tlsv1 alert protocol version
202fd55cb312:/app# curl --ciphers 'DEFAULT@SECLEVEL=0' --resolve mozilla-old.nginx-proxy.tld:443:127.0.0.1 --tls-max 1.2 https://mozilla-old.nginx-proxy.tld -k
<!DOCTYPE html>
[...] rest of the page
Same result from the outside using either nmap --script ssl-enum-ciphers
, openssl s_client
or curl
.
I think I found the issue, we have default values for ssl_protocols
and ssl_ciphers
that are defined outside of a server
block and set to the Mozilla Intermediate TLS and ciphers configuration.
This seemingly prevent TLSv1 and TLSv1.1 from working even if ssl_protocols
and ssl_ciphers
are redefined in a subsequent server
block.
@thresheek does that seem correct to you ?
Describe the bug
The latest version of nginx (nginx:1.25.3, from all versions) does not support TLS1.0.
To reproduce
Deploy nginx:1.25.3 and set
nginx
ssl_protocols
toTLSv1 TLSv1.1 TLSv1.2 TLSv1.3
, you can put in thessl_ciphers
what ever value you want0Expected behavior
Working TLS1.0 - can be tested using OpenSSL client.
Your environment
My OS is Ubuntu 22, when I used a different nginx flavor image (Openresty the latest version) on the same OS, TLS 1 worked without any issue, so from this, I learned that this is not an OS issue, this is about the nginx docker itself.
Additional context
After searching online, I found a few recommended solutions:
A.Edit
/etc/ssl/openssl.cnf
and add to it:B. add this
ssl_ciphers DEFAULT@SECLEVEL=0;
to thenginx conf
.I tried both of the methods, I edited
/etc/ssl/openssl.cnf
inside and outside the docker, and I tried theB
option, but none of that worked, I read in another post that theAlpine
version didn't compile in the TLS1.0 support so I switched from the alpine version to the regularnginx:1.25.3
and still nothing worked (including after I tried the above in it and outside it).How can I make it work? is there a specific version of the regular Nginx that works with this? Do I need to do something differently to make it work? I must support
TLS1.0
as well...