Forum » Programiranje » Nginx 1.25.x - Kako ponovno vklopit TLSv1.2 (ssl_protocols)?
Nginx 1.25.x - Kako ponovno vklopit TLSv1.2 (ssl_protocols)?
HotBurek ::
Dobru jutro.
Evo fantje in dekline, nov izziv.
Imam nginx 1.25.3 in dokumentacija ( https://nginx.org/en/docs/http/ngx_http... ) pravi, da je privzeta vrednost za ssl_protocols samo TLSv1.3.
Pomagam si tudi s temle navodili za test:
https://www.cyberciti.biz/faq/configure...
Curl ( curl -I -v --tlsv1.2 --tls-max 1.2 https://www...com ) faila:
V /etc/nginx/conf.d/ imam 3 config fajle (en config za direct na IP, drugi domena brez www, tretji domena z www), v vsakem pa po dva server bloka (eden http, drugi https):
In sedaj ne vem, kje je ta (ssl_protocols) default nastavitev shranjena in kako jo spremenit, da bo zraven še TLSv1.2? Zgornji config mi je do pred kratkem dela (1/2 leta nazaj), sedaj (upgrade...) pa ne več.
Evo fantje in dekline, nov izziv.
Imam nginx 1.25.3 in dokumentacija ( https://nginx.org/en/docs/http/ngx_http... ) pravi, da je privzeta vrednost za ssl_protocols samo TLSv1.3.
The TLSv1.3 parameter is used by default since 1.23.4.
Pomagam si tudi s temle navodili za test:
https://www.cyberciti.biz/faq/configure...
Curl ( curl -I -v --tlsv1.2 --tls-max 1.2 https://www...com ) faila:
* TLSv1.2 (IN), TLS alert, handshake failure (552): * OpenSSL/3.0.11: error:0A000410:SSL routines::sslv3 alert handshake failure * Closing connection 0 curl: (35) OpenSSL/3.0.11: error:0A000410:SSL routines::sslv3 alert handshake failure
V /etc/nginx/conf.d/ imam 3 config fajle (en config za direct na IP, drugi domena brez www, tretji domena z www), v vsakem pa po dva server bloka (eden http, drugi https):
server {
# listen
listen 127.0.0.1:80;
# server
server_name www...com;
# ...
}
server {
# listen
listen 127.0.0.1:443 ssl;
# set http2 on
http2 on;
# server
server_name www....com
# ssl
ssl_protocols TLSv1.2 TLSv1.3;
# ...
}
In sedaj ne vem, kje je ta (ssl_protocols) default nastavitev shranjena in kako jo spremenit, da bo zraven še TLSv1.2? Zgornji config mi je do pred kratkem dela (1/2 leta nazaj), sedaj (upgrade...) pa ne več.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
kow ::
Ce te prav razumem pravis, da ti ne uposteva server (za 443 ssl) ssl_protocols nastavitve za TLSv1.2? Si restartal nginx in pogledal loge?
HotBurek ::
Ja in restartal ter tudi v log-ih (/var/log/syslog) ni nobenih errorjev, nginx -t tudi pravi da je vse vredu.
Sicer sem tudi tole prebral:
The ticket is about not being able to configure different SSL protocols for different name-based virtual servers on a single listening socket. This is, unfortunately, not possible due to OpenSSL limitations.
Vir: https://trac.nginx.org/nginx/ticket/676
V osnovi ne rabim različnih TLS verzij peer virtual server... Glavno, da imajo vsi TLS 1.3 in TLS 1.2.
Zagonetka je, kje je treba vnest ta ssl_protocols, da bo pofural default (ki je 1.3 only).
Prejle sem testiral, in sem iz vseh config-ov, ki so v /etc/nginx/conf.d/ odstranil ssl_protocols, ter ga dal v /etc/nginx/nginx.conf v server { } blok. Naredil nginx -t, vse vredu, restart. Test z curl, in TLS 1.2 še kar ne dela.
Sicer sem tudi tole prebral:
The ticket is about not being able to configure different SSL protocols for different name-based virtual servers on a single listening socket. This is, unfortunately, not possible due to OpenSSL limitations.
Vir: https://trac.nginx.org/nginx/ticket/676
V osnovi ne rabim različnih TLS verzij peer virtual server... Glavno, da imajo vsi TLS 1.3 in TLS 1.2.
Zagonetka je, kje je treba vnest ta ssl_protocols, da bo pofural default (ki je 1.3 only).
Prejle sem testiral, in sem iz vseh config-ov, ki so v /etc/nginx/conf.d/ odstranil ssl_protocols, ter ga dal v /etc/nginx/nginx.conf v server { } blok. Naredil nginx -t, vse vredu, restart. Test z curl, in TLS 1.2 še kar ne dela.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Zgodovina sprememb…
- spremenilo: HotBurek ()
kow ::
Malo offtopic, ampak.. zakaj noces, da klijent uporabi v1.3? Lahko curl pozenes s trace parametrom?
HotBurek ::
Rad bi oboje omogočil, 1.2 in 1.3.
Sedajle sem na vseh fajlih v /etc/nginx/conf.d/ nastavil ssl_protocols TLSv1.2;
In sedaj v brskalniku dobim error:
Ugibam, da je openssl "kriv". Se pravi /etc/ssl/openssl.cnf
Sedajle sem na vseh fajlih v /etc/nginx/conf.d/ nastavil ssl_protocols TLSv1.2;
In sedaj v brskalniku dobim error:
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Ugibam, da je openssl "kriv". Se pravi /etc/ssl/openssl.cnf
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
HotBurek ::
Zgleda da sem našel, kaj je narobe.
Gre za sledeč config v nginx:
Ko sem to zakomentiral, je začelo delat.
Tole me je pa pripeljalo do tega:
https://superuser.com/questions/1416714...
Openssl na strežniku podpira tole:
Sedaj pa moram ugotovit, kako se znebit teh iz spodnjega seznama (Qualys SSL test) v nginx ssl_ciphers:
Ter, kako dodat te:
To bo pa za jutri.
Gre za sledeč config v nginx:
ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256: ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8: DHE-RSA-AES128-CCM:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL";
Ko sem to zakomentiral, je začelo delat.
Tole me je pa pripeljalo do tega:
https://superuser.com/questions/1416714...
Openssl na strežniku podpira tole:
root@debian:/etc/ssl# openssl ciphers -v -s | grep TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 root@debian:/etc/ssl# openssl ciphers -v -s | grep TLSv1.3 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
Sedaj pa moram ugotovit, kako se znebit teh iz spodnjega seznama (Qualys SSL test) v nginx ssl_ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
Ter, kako dodat te:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp384r1 (eq. 7680 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH secp384r1 (eq. 7680 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af) ECDH secp384r1 (eq. 7680 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad) ECDH secp384r1 (eq. 7680 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d) ECDH secp384r1 (eq. 7680 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH secp384r1 (eq. 7680 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae) ECDH secp384r1 (eq. 7680 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac) ECDH secp384r1 (eq. 7680 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
To bo pa za jutri.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Zgodovina sprememb…
- spremenilo: HotBurek ()
HotBurek ::
Zanimivo je, če poženem tole:
Dobim:
In ta bi naj ustrezal temu iz zadnjega seznama (zgornji post):
Se pravi:
Zakaj ga config ne poreber...
openssl ciphers -v -s | grep TLSv1.2 | grep ECDHE | grep ECDSA | grep AES | grep 256 | grep GCM | grep SHA384
Dobim:
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
In ta bi naj ustrezal temu iz zadnjega seznama (zgornji post):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
Se pravi:
ECDHE-ECDSA-AES256-GCM-SHA384 = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Zakaj ga config ne poreber...
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
HotBurek ::
Trenutno imam tale config:
Vir: https://ssl-config.mozilla.org/
Seznam (na qualys ssl test) pokaže po tri na skupino: 3x za TLS 1.2, ter 3x za TLS 1.3
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
Vir: https://ssl-config.mozilla.org/
Seznam (na qualys ssl test) pokaže po tri na skupino: 3x za TLS 1.2, ter 3x za TLS 1.3
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Zgodovina sprememb…
- spremenilo: HotBurek ()
HotBurek ::
Evo, zadevi sem prišel do konca.
Tole so ssl_ciphers za TLS 1.3:
Tole pa za TLS 1.2:
Za mapping sem uporabil tale seznam:
https://testssl.sh/openssl-iana.mapping...
Končni rezultat:
Pa še en praktičen ukaz za listanje podprtih cipher-jev:
Vir: https://support.citrix.com/article/CTX2...
Well done.
Tole so ssl_ciphers za TLS 1.3:
ECDHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-CHACHA20-POLY1305:
Tole pa za TLS 1.2:
ECDHE-ECDSA-AES128-CCM: ECDHE-ECDSA-AES128-CCM8: ECDHE-ECDSA-AES256-CCM: ECDHE-ECDSA-AES256-CCM8: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-ECDSA-ARIA128-GCM-SHA256: ECDHE-ECDSA-ARIA256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305;
Za mapping sem uporabil tale seznam:
https://testssl.sh/openssl-iana.mapping...
Končni rezultat:
Pa še en praktičen ukaz za listanje podprtih cipher-jev:
nmap s --script ssl-enum-ciphers -p 443 www...com
Vir: https://support.citrix.com/article/CTX2...
Well done.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Zgodovina sprememb…
- spremenilo: HotBurek ()
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | Avtolog.si (strani: 1 2 3 4 … 7 8 9 10 )Oddelek: Na cesti | 113676 (7743) | starfotr |
| » | 4096-bitni ključi ne bodo dovolj?Oddelek: Informacijska varnost | 2981 (1706) | zee |
| » | [Python] HTTPS na desktopu dela, na Arduinu neOddelek: Programiranje | 1398 (1011) | N4g4c3N |
| » | Pošiljanje emaila na @siol.netOddelek: Pomoč in nasveti | 4964 (4133) | SeMiNeSanja |
| » | LinkedIn spam?Oddelek: Loža | 2737 (2169) | kunigunda |