Nginx [nginx-announce] nginx-1.15.4

Awesome - thanks for heads up. So we are probably less than 3 weeks away from Chrome 70 release so TLS 1.3 RFC final is released and soon after Firefox 63 with same TLS 1.3 RFC final

 

Indeed cheers.. it's disabled by default anyway.

 

probably why it's not ready for productive live sites and needs testing first

which version of Chrome ? using Nginx + BoringSSL or Nginx + OpenSSL 1.1.1 for TLS 1.3 ? If it's with OpenSSL 1.1.1 it might be related to TLS 1.3 RFC final not being compatible with Chrome 69 and lower TLS 1.3 draft 28, so try chrome://flags and test with TLS 1.3 disabled in Chrome 69 to confirm. Chrome 70 will update to TLS 1.3 RFC final. You can also try Nginx + BoringSSL TLS 1.3 and see as Centmin Mod modified BoringSSL to support TLS 1.3 draft 23 and 28 as well as TLS 1.3 RFC final so should work with Chrome 69.

Also if you have a anti-virus/malware scanning on computer running Chrome, it could be doing man in the middle (MITM) connections between your PC and the site you're connecting to and the software might not support TLS 1.3 fully hence problems as TLS 1.3 also helps protect you from such eaves dropping apparently.

 

what about update to nginx 1.15.5 bug fixes might help Nginx - Nginx 1.15.5 released ?

 

Try modifying it to disable TLS 1.3 in Chrome 69 and see what happens - aim is to test all combinations of TLS 1.3 support on/off on server and browser side to narrow the issue down

so disabling early data / 0-RTT directives below, makes ERR_SSL_VERSION_INTERFERENCE error go away ?

Code (Text):

ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;

if so just keep it disabled for now

 

@rdan what about Chrome 70/71 beta/Canary browsers ? Firefox ?

 

I just got ERR_SSL_VERSION_INTERFERENCE on a nginx site that was running old openssl 1.1.1-pre2 TLS 1.3 draft 23 when using Chrome Canary 71 which doesn't support TLS 1.3 draft 23 out of the box. But same site works fine in Chrome stable 69 so it could be TLS 1.3 draft vs rfc conflicts as well.

Used nginx-binary-backup.sh tool to test and backup nginx 1.15.5 with OpenSSL 1.1.1 and another install for nginx 1.15.5 with BoringSSL

Code (Text):

tools/nginx-binary-backup.sh list
--------------------------------------------------------
Listing of available Nginx binary/module backups
--------------------------------------------------------
/home/backup-nginxbin/1.15.5-gcc-7.3.1-20180303-openssl-1.1.1-061018-052213
/home/backup-nginxbin/1.15.5-gcc-7.3.1-20180303-boringssl-061018-050833
--------------------------------------------------------

• with BoringSSL, the nginx site worked in both Chrome 69 and Canary 71 as BoringSSL has TLS 1.3 draft 23, 28 and final RFC version support. Chrome 69 reports TLS 1.3 connection guess via TLS 1.3 draft 28 and Canary 71 reports TLS 1.3 guess via TLS 1.3 RFC final
• with OpenSSL 1.1.1, the nginx site worked in both Chrome 69 (reports TLS 1.2 connection) and Canary 71 (reports TLS 1.3 RFC final)

nginx binary backed up with OpenSSL 1.1.1

nginx binary backed up with BoringSSL

 

6 days to go

Shame maybe try with just OpenSSL 1.1.1 and TLSv1.3 protocol disabled ?