/ Register

Want more timely Centmin Mod News Updates?
Become a Member

OpenSSL OpenSSL 1.1.1 and Chrome 70 with TLS 1.3 RFC support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Oct 16, 2018.

Tags:
Previous Thread Next Thread
Loading...
Page 2 of 4
  1. Oct 17, 2018 #21
    buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:06 PM
    Thanks for the reply.
    Not been home today until now. Has this beta been released today and later renamed to final?

    BTW The bonus points go to the Firefox team today.
    Release of Firefox 63 with TLS 1.3 planned in 1 week, oct 23 th.
     
  2. Oct 17, 2018 #22
    Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    5:06 PM
    1.9.x
    10.1.x
    I received today a new update in the beta channel and it was that version. I guess currently, Final and Beta are exactly the same version.
     
  3. Oct 17, 2018 #23
    Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    5:06 PM
    1.9.x
    10.1.x
    Mine:

    [​IMG]

    [​IMG]
     
  4. Oct 17, 2018 #24
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    why?

    3.png

    1.png

    2.png
     
  5. Oct 17, 2018 #25
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    check /usr/local/nginx/conf/ssl_include.conf if it lists TLSv1.3 in ssl_protocols
    Code (Text):
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    then restart nginx
     
  6. Oct 17, 2018 #26
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Output

    Code:
    # cat /usr/local/nginx/conf/ssl_include.conf

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     
  7. Oct 17, 2018 #27
    buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:06 PM
    What about your nginx ciphers? Does it enlist TLS 1.3
     
  8. Oct 17, 2018 #28
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Do you see anything wrong? :unsure:

    Code (Text):
      # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #######################add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #######################spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;
 
  #enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
     
  9. Oct 17, 2018 #29
    rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:06 AM
    Mainline
    10.2
  10. Oct 17, 2018 #30
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
     
  11. Oct 17, 2018 #31
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    latest is
    Code (Text):
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

    but yours should work, what does Chrome 70 security tab say ?

    you can also try recompile nginx via centmin.sh menu option 4
     
  12. Oct 17, 2018 #32
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also may need to update all references for ssl_ciphers in all nginx vhosts if you have more than one vhost on server
     
  13. Oct 17, 2018 #33
    rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:06 AM
    Mainline
    10.2
    Nginx 1.15.5 + OpenSSL 1.1.1, TLS 1.3 works fine on:
    • Windows 7 Chrome 70
    • Windows 8.1 Chrome 70
    • Windows 10 Chrome 70
     
  14. Oct 17, 2018 #34
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    1.png

    2.png

    I will put yours chipers and recompile nginx
     
  15. Oct 17, 2018 #35
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    security tab as in dev tools

    chrome70-tls1.3-rfc-final-centminmod-nginx-1.15.5-openssl-1.1.1-02.png
     
  16. Oct 17, 2018 #36
    buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:06 PM
    @Sunka secondly, are you using Kaspersky internet security or any other security suite?
    For example Kaspersky hijacks your connections to scan it for security purposes.
    Therefore your connection will always be TLS 1.2.
     
  17. Oct 17, 2018 #37
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    he is testing 3rd party ssllabs so probably wouldn't apply in that case
     
  18. Oct 17, 2018 #38
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:06 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    I just have one vhost (I think).

    This is pijanitvor.com.ssl.conf file

    Code (Text):
    cat /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
   server_name pijanitvor.com www.pijanitvor.com;
    return 301 https://www.$server_name$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name pijanitvor.com www.pijanitvor.com;

  ##  redirect https non-www to https www
      if ($host = 'pijanitvor.com' ) {
         return 301 https://www.pijanitvor.com$request_uri;
      }
 
  ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #######################add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #######################spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;
 
  #enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/pijanitvor.com/log/error.log;

  root /home/nginx/domains/pijanitvor.com/public;

  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        include /usr/local/nginx/conf/blockbots.conf;
    }

### ORIGINAL ###
location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow xxxxxxx;
        deny all;
    }

    location /library/ {
        internal;
        allow 127.0.0.1;
        allow xxxxxxx;
        deny all;
    }
 
    location /install/data/ {
        internal;
        allow 127.0.0.1;
        allow xxxxxxx;
        deny all;
    }
 
      location /install/templates/ {
        internal;
        allow 127.0.0.1;
        allow xxxxxxx;
        deny all;
    }
 
      location /src/ {
        internal;
        allow 127.0.0.1;
        allow xxxxxxx;
        deny all;
    }

  # prevent access to ./directories and files
        location ~ (?:^|/)\. {
   deny all;
        } 


  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
     
  19. Oct 17, 2018 #39
    eva2000

    eva2000 Administrator Staff Member

    54,583
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    3:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ssllabs picks up a non-sni supported upload.YOURDOMAIN ssl cert too so it might be looking at that too

    also remove
    Code (Text):
      # prevent access to ./directories and files
       location ~ (?:^|/)\. {
   deny all;
       }

    it's going to prevent letsencrypt auto renewals
     
  20. Oct 17, 2018 #40
    buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    6:06 PM
    You are right, Couldn't see the large SSLlabs picture on my mobile.
    There is little difference between the full image and the reduced default version on the forum.
    Perhaps there is something to do about that? After all, it is difficult to see on a mobile.
     
Previous Thread Next Thread
Loading...
Page 2 of 4

.