Want more timely Centmin Mod News Updates?
Become a Member

Nginx [nginx-announce] nginx-1.15.4

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 26, 2018.

  1. rdan

    rdan Premium Member Premium Member

    4,517
    1,082
    113
    May 25, 2014
    Ratings:
    +1,579
    Local Time:
    8:20 AM
    Mainline
    10.2
    Other sites using OpenSSL 1.1.1 + TLS 1.3 + Pure ECC Certificate works perfectly fine.
     
  2. eva2000

    eva2000 Administrator Staff Member

    38,662
    8,538
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,118
    Local Time:
    10:20 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    other sites on same server or different server ? weird
     
  3. rdan

    rdan Premium Member Premium Member

    4,517
    1,082
    113
    May 25, 2014
    Ratings:
    +1,579
    Local Time:
    8:20 AM
    Mainline
    10.2
    :D (y)
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    38,662
    8,538
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,118
    Local Time:
    10:20 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    99% sure it's visitors anti-virus programs not supporting TLS 1.3 properly as they MITM scan https connections Not able to visit a lot of HTTPS websites ERR_SSL_VERSION_INTERFERENCE [merged]

     
    • Like Like x 1
    • Informative Informative x 1
  5. bassie

    bassie Well-Known Member

    1,051
    255
    83
    Apr 29, 2016
    Ratings:
    +753
    Local Time:
    1:20 AM
    D-day! Chrome 70 with TLS 1.3 RFC support. 24 hours or less and counting.
     
    • Like Like x 1
  6. rdan

    rdan Premium Member Premium Member

    4,517
    1,082
    113
    May 25, 2014
    Ratings:
    +1,579
    Local Time:
    8:20 AM
    Mainline
    10.2
    Deployed again for the last 10 hours and no one complains anymore.
    Nginx 1.15.5 + OpenSSL 1.1.1 + TLS 1.3 .

    Only changes vs last week was I offer both ECC and RSA.
    Now I only serve RSA Cert.
     
  7. Akansha

    Akansha New Member

    3
    0
    1
    Dec 18, 2018
    Ratings:
    +0
    Local Time:
    5:50 AM
    1.15.6
    We are using nginx 1.15.6 and we have enable TLS 1.3 also enabled early data using the following command in our nginx configuration file.
    ssl_early_data on;
    proxy_set_header Early-Data $ssl_early_data;


    But it is showing that Early data was not sent.
    we are getting the following
    Code:
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 367 bytes and written 1349 bytes
    Verification: OK
    ---
    Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 2B26FE64F5BDA3986B4E754B1A1C981C4F32F8619997DD8F022476E91E606F9A
        Session-ID-ctx:
        Resumption PSK: C2740B4CEEED78B5FDEBBE43104BF20016B544BEB09792509B0E647D7CCE3789B7D6769945535CCDE0BA5FF443FA9BEC
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 3600 (seconds)
        TLS session ticket:
        0000 - c2 6e 0c c7 f4 95 69 c7-09 87 7c f8 39 f7 a7 bb   .n....i...|.9...
        0010 - 4e d2 ce 82 de 2f bf ac-6d ad 20 72 0e be 16 0c   N..../..m. r....
        0020 - 3f e6 43 c8 bf 4e 05 bc-94 2e 17 b4 99 8a 1d d9   ?.C..N..........
        0030 - 0f 58 e4 dc 79 08 72 14-74 5d 3f 16 09 d7 82 33   .X..y.r.t]?....3
        0040 - b3 27 b4 c7 7d 73 e8 73-24 fb f6 a6 c3 1e 94 e2   .'..}s.s$.......
        0050 - 33 84 59 5b 9d 7c c4 fe-36 45 e4 9d cc 05 20 e7   3.Y[.|..6E.... .
        0060 - ba 48 42 83 88 0e 27 92-30 19 19 67 80 63 c7 31   .HB...'.0..g.c.1
        0070 - ab e5 19 fb ff 87 c2 c6-9e b2 9c 0c be cc 32 28   ..............2(
        0080 - ee d6 85 65 1e 47 bb 2a-61 69 96 b0 52 b1 b2 93   ...e.G.*ai..R...
        0090 - 09 d5 f6 27 c5 b7 bc f5-70 b3 22 df 2a c4 f8 51   ...'....p.".*..Q
        00a0 - 7f 3a 02 c5 82 f6 43 49-4f 9c 2f e3 7c 2e 03 ab   .:....CIO./.|...
        00b0 - 7d 5a ca 37 67 04 7f b9-8f e3 7e ee e3 32 a8 f6   }Z.7g.....~..2..
        00c0 - 60 af 7c 19 10 c5 24 52-11 23 c0 2e 36 39 0a 69   `.|...$R.#..69.i
        00d0 - 18 08 cb 49 c3 73 4b c8-c4 4e bc 57 33 c6 9d 8e   ...I.sK..N.W3...
        00e0 - de dd 17 ec 5e 30 44 a0-7a 94 18 e5 55 8f 0b 0a   ....^0D.z...U...
    
        Start Time: 1545297256
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 16384
    ---
    read R BLOCK
    
    Where am i getting wrong?
    Any help will be appreciated.
     
  8. eva2000

    eva2000 Administrator Staff Member

    38,662
    8,538
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,118
    Local Time:
    10:20 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  9. Akansha

    Akansha New Member

    3
    0
    1
    Dec 18, 2018
    Ratings:
    +0
    Local Time:
    5:50 AM
    1.15.6

    yes, we did. But it is showing the following result.

    Code:
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    38,662
    8,538
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,118
    Local Time:
    10:20 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    just tested and not having any problems on 123.09beta01 with test domain http2.domain.com

    created /tmp/https.txt with contents
    Code (Text):
    GET / HTTP/1.1
    Host: http2.domain.com:443
    

    add to /usr/local/nginx/conf/conf.d/http2.domain.com.ssl.conf vhost place directives above web root /
    Code (Text):
      ssl_early_data on;
      proxy_set_header Early-Data $ssl_early_data;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    

    save HTTP/2 HTTPS session
    Code (Text):
    /opt/openssl/bin/openssl s_client -connect http2.domain.com:443 -sess_out session.pem
    

    replay saved session for HTTP/2 HTTPS early data TLS 1.3 0-RTT
    Code (Text):
    echo -n | /opt/openssl/bin/openssl s_client -connect http2.domain.com:443 -sess_in session.pem -early_data /tmp/https.txt
    
    ---
    SSL handshake has read 245 bytes and written 779 bytes
    Verification error: self signed certificate
    ---
    Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 256 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was accepted
    Verify return code: 18 (self signed certificate)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 6D5050A7F4FCD05B9E01EAE97C1ACB73C5237EF455982BC3878DA9D4F70D6F34
        Session-ID-ctx: 
        Resumption PSK: 0CD983646EFF898629BB929C5048611F11C6CF90E133CAF666590FAD1FEFA38D5DADF5B37239F25BB1C58381AF372BA7
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 3600 (seconds)
        TLS session ticket:
    
        Start Time: 1545305699
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
        Extended master secret: no
        Max Early Data: 16384
    
     
..