Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx [nginx-announce] nginx-1.15.4

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 26, 2018.

  1. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Awesome - thanks for heads up. So we are probably less than 3 weeks away from Chrome 70 release so TLS 1.3 RFC final is released and soon after Firefox 63 with same TLS 1.3 RFC final :)
     
    • Like Like x 1
  3. buik

    buik Well-known Member Premium Member

    1,239
    333
    83
    Apr 29, 2016
    Ratings:
    +986
    Local Time:
    3:52 AM
    As additional. Firefox is released around the same time as Chrome.
     
    • Like Like x 1
  4. buik

    buik Well-known Member Premium Member

    1,239
    333
    83
    Apr 29, 2016
    Ratings:
    +986
    Local Time:
    3:52 AM
    Last edited: Sep 28, 2018
  5. JJC84

    JJC84 Ad astra per aspera Premium Member

    247
    109
    43
    Jan 31, 2018
    San Antonio, Texas
    Ratings:
    +168
    Local Time:
    8:52 PM
    1.15.x
    10.x.x
    I think that your English is fine.
     
    • Agree Agree x 1
  6. buik

    buik Well-known Member Premium Member

    1,239
    333
    83
    Apr 29, 2016
    Ratings:
    +986
    Local Time:
    3:52 AM
    You could remove this commit as the Nginx team is not going to implement this feature to Nginx. Furthermore the patch from carter.li won't work.
     
    • Agree Agree x 1
  7. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Indeed cheers.. it's disabled by default anyway.
     
  8. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    Having this enabled, I got this error sometimes on Chrome:
    Code:
    ERR_SSL_VERSION_INTERFERENCE
     
  9. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    probably why it's not ready for productive live sites and needs testing first :)

    which version of Chrome ? using Nginx + BoringSSL or Nginx + OpenSSL 1.1.1 for TLS 1.3 ? If it's with OpenSSL 1.1.1 it might be related to TLS 1.3 RFC final not being compatible with Chrome 69 and lower TLS 1.3 draft 28, so try chrome://flags and test with TLS 1.3 disabled in Chrome 69 to confirm. Chrome 70 will update to TLS 1.3 RFC final. You can also try Nginx + BoringSSL TLS 1.3 and see as Centmin Mod modified BoringSSL to support TLS 1.3 draft 23 and 28 as well as TLS 1.3 RFC final so should work with Chrome 69.

    Also if you have a anti-virus/malware scanning on computer running Chrome, it could be doing man in the middle (MITM) connections between your PC and the site you're connecting to and the software might not support TLS 1.3 fully hence problems as TLS 1.3 also helps protect you from such eaves dropping apparently.
     
  10. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    Latest chrome 69.
    Nginx 1.15.4
    Openssl 1.1.1
    With tls 1.3 on config enabled.
    This config is just default, i haven't modified it.
     
  11. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  12. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    Ay Sorry I'm already on 1.15.5.
    Forgot that version :).
     
  13. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Try modifying it to disable TLS 1.3 in Chrome 69 and see what happens - aim is to test all combinations of TLS 1.3 support on/off on server and browser side to narrow the issue down

    so disabling early data / 0-RTT directives below, makes ERR_SSL_VERSION_INTERFERENCE error go away ?
    Code (Text):
    ssl_early_data on;
    proxy_set_header Early-Data $ssl_early_data;
    

    if so just keep it disabled for now
     
  14. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @rdan what about Chrome 70/71 beta/Canary browsers ? Firefox ?
     
  15. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    Yes I think, I haven't encounter the issue anymore.

    The ERR_SSL_VERSION_INTERFERENCE error just pop I think 1% of the time i'm browsing my site.
    So very hard to debug on other browser as I don't know how to replicate it exactly.

    Unless I got the error again then it's not related to ssl_early_data.
     
  16. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I just got ERR_SSL_VERSION_INTERFERENCE on a nginx site that was running old openssl 1.1.1-pre2 TLS 1.3 draft 23 when using Chrome Canary 71 which doesn't support TLS 1.3 draft 23 out of the box. But same site works fine in Chrome stable 69 so it could be TLS 1.3 draft vs rfc conflicts as well.

    Used nginx-binary-backup.sh tool to test and backup nginx 1.15.5 with OpenSSL 1.1.1 and another install for nginx 1.15.5 with BoringSSL
    Code (Text):
    tools/nginx-binary-backup.sh list
    --------------------------------------------------------
    Listing of available Nginx binary/module backups
    --------------------------------------------------------
    /home/backup-nginxbin/1.15.5-gcc-7.3.1-20180303-openssl-1.1.1-061018-052213
    /home/backup-nginxbin/1.15.5-gcc-7.3.1-20180303-boringssl-061018-050833
    --------------------------------------------------------
    

    • with BoringSSL, the nginx site worked in both Chrome 69 and Canary 71 as BoringSSL has TLS 1.3 draft 23, 28 and final RFC version support. Chrome 69 reports TLS 1.3 connection guess via TLS 1.3 draft 28 and Canary 71 reports TLS 1.3 guess via TLS 1.3 RFC final
    • with OpenSSL 1.1.1, the nginx site worked in both Chrome 69 (reports TLS 1.2 connection) and Canary 71 (reports TLS 1.3 RFC final)
    nginx binary backed up with OpenSSL 1.1.1
    nginx binary backed up with BoringSSL
     
    Last edited: Oct 6, 2018
  17. buik

    buik Well-known Member Premium Member

    1,239
    333
    83
    Apr 29, 2016
    Ratings:
    +986
    Local Time:
    3:52 AM
    Chrome 70 with TLS 1.3 RFC support. 10 days and counting.
     
    • Like Like x 1
  18. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    I removed TLS 1.3, switch to Openssl 1.1.0, and remove Dual cert and just use single RSA for now.
    I just need wider support than bleeding edge performance. :shy:
     
    • Informative Informative x 1
  19. eva2000

    eva2000 Administrator Staff Member

    43,079
    9,781
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,100
    Local Time:
    12:52 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    6 days to go :D

    Shame maybe try with just OpenSSL 1.1.1 and TLSv1.3 protocol disabled ?
     
  20. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    10:52 AM
    Mainline
    10.2
    I'll try TLS 1.3 Soon with OpenSSL 1.1.1e maybe :D.
     
    • Funny Funny x 1