Hello! On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
> >> And, if I change nginx to be 'TLSv1.3-only', > >> > >> - ssl_protocols TLSv1.3 TLSv1.2; > >> - ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 > >> TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305"; > >> + ssl_protocols TLSv1.3; > >> + ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 > >> TLS13-AES-128-GCM-SHA256"; > >> > >> even the webserver config check FAILs, > >> > >> nginxconfcheck > >> TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL > >> routines:SSL_CTX_set_cipher_list:no cipher match) > >> nginx: configuration file /usr/local/etc/nginx/nginx.conf test > >> failed > >> > >> and the server fails to start. > > > > That's because the cipher string listed contains no valid ciphers. > > > Sorry, I'm missing something :-/ > > What's specifically "invalid" about the 3, listed ciphers? > > TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 > TLS13-AES-128-GCM-SHA256 There are no such ciphers in the OpenSSL. Try it yourself: $ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256 Error in cipher list 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549: [...] -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
