Hello! On Fri, Jul 19, 2019 at 11:24:36AM -0700, PGNet Dev wrote:
> On 7/19/19 11:02 AM, Maxim Dounin wrote: > > Hello! > > > > On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote: > > > >>>> And, if I change nginx to be 'TLSv1.3-only', > >>>> > >>>> - ssl_protocols TLSv1.3 TLSv1.2; > >>>> - ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 > >>>> TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 > >>>> ECDHE-ECDSA-CHACHA20-POLY1305"; > >>>> + ssl_protocols TLSv1.3; > >>>> + ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 > >>>> TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256"; > >>>> > >>>> even the webserver config check FAILs, > >>>> > >>>> nginxconfcheck > >>>> TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL > >>>> routines:SSL_CTX_set_cipher_list:no cipher match) > >>>> nginx: configuration file /usr/local/etc/nginx/nginx.conf test > >>>> failed > >>>> > >>>> and the server fails to start. > >>> > >>> That's because the cipher string listed contains no valid ciphers. > >> > >> > >> Sorry, I'm missing something :-/ > >> > >> What's specifically "invalid" about the 3, listed ciphers? > >> > >> TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 > >> TLS13-AES-128-GCM-SHA256 > > > > There are no such ciphers in the OpenSSL. > > Try it yourself: > > > > $ openssl ciphers TLS13-CHACHA20-POLY1305-SHA256 > > Error in cipher list > > 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher > > match:ssl/ssl_lib.c:2549: > > > > [...] > > > > Then what are these lists? You may want to re-read my initial answer and the ticket it links to. [...] -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
