Learn about Centmin Mod LEMP Stack today
Become a Member

OpenSSL OpenSSL 1.1.1 and Chrome 70 with TLS 1.3 RFC support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Oct 16, 2018.

  1. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    3:58 PM
    Nginx 1.15.8
    MariaDB 10.3.12
    1.png

    Nop

    I will remove that part, but I am not using letsencrypt auto renewals.
    I am using comodo ssl

    You mean /usr/local/nginx/conf/ssl/pijanitvor.com/
    which file?

    Code:
    # ls -la /usr/local/nginx/conf/ssl/pijanitvor.com/
    total 68
    drwxr-xr-x 2 root root 4096 Sep 28 14:12 .
    drwxr-xr-x 3 root root  143 Nov 12  2016 ..
    -rw-r--r-- 1 root root  424 Nov  2  2015 dhparam.pem
    -rw-r--r-- 1 root root 1281 Nov  2  2015 pijanitvor.com.crt
    -rw-r--r-- 1 root root 1041 Nov  2  2015 pijanitvor.com.csr
    -rw-r--r-- 1 root root 1704 Nov 25  2015 pijanitvor.com.key
    -rw-r--r-- 1 root root 1708 Nov  2  2015 pijanitvor.com.key.default
    -rw-r--r-- 1 root root 4103 Nov 26  2015 ssl-trusted.crt
    -rw-r--r-- 1 root root 6529 Sep 28 14:14 ssl-unified.crt
    -rw-r--r-- 1 root root 6010 Nov 26  2015 ssl-unified.crt.old
    -rw-r--r-- 1 root root 4102 Sep 28 14:01 www_pijanitvor_com.ca-bundle
    -rw-r--r-- 1 root root 2426 Aug 27 14:04 www_pijanitvor_com.crt
    -rw-r--r-- 1 root root 1907 Nov 25  2015 www_pijanitvor_com.crt.old
    -rw-r--r-- 1 root root 1094 Nov 25  2015 www_pijanitvor_com.csr
     
  2. buik

    buik Well-Known Member

    1,193
    318
    83
    Apr 29, 2016
    Ratings:
    +937
    Local Time:
    3:58 PM
    What you could do is spin up a test server (fresh) to isolate the problem.
    Install some default pages and your certificate.
    Link your local dns to your test server to bypass the production dns and web server environment. So users do not bother.
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    any other your domain nginx vhosts in /usr/local/nginx/conf/conf.d ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    FYI, my Wordpress7 demo site is running Centmin Mod Nginx 1.15.5 + OpenSSL 1.1.1 TLS 1.3 now too Wordpress7.centminmod.com :D
     
  5. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Nginx 1.15.5 + OpenSSL 1.1.1, TLS 1.3 Tested works fine on:
    • Windows 7, Chrome 70
    • Windows 8.1, Chrome 70
    • Windows 10, Chrome 70
    • Ubuntu 18.10, Chrome 70
    • Ubuntu 18.10, Firefox 63
     
    • Informative Informative x 1
  6. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Did you solve your problem?
    I also have this new installed Windows 10 64 bit on Virtual Box, and TLS 1.3 doesn't work on Chrome 10 :D.
     
  7. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    strange.. what specific windows 10 version is that ? wonder if there were windows 10 updates for TLS 1.3 ?

    I'm on

    upload_2018-10-18_2-46-14.png

    what is underlying OS for Virtualbox ? Does that OS connect to Chrome with TLS 1.3 ?
     
  8. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    My main OS is Windows 10 (TLS 1.3 works fine on Chrome 70)
    upload_2018-10-18_1-2-39.png

    and I have VirtualBox Installed.
    One OS on it is Windows 10 also just downloaded the ISO today fresh from microsoft.
    upload_2018-10-18_1-5-4.png

    OS Build is behind a bit I think:
    upload_2018-10-18_1-6-57.png
     
  9. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    I'll report back after installing all this update:

    upload_2018-10-18_1-9-32.png
     
  10. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Still tls 1.3 isn't working.
     
  11. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Strange does Firefox 63/dev/nightly work for TLS 1.3 on same OS ? And Chrome Canary 72 ?
     
  12. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Haven't tried firefox.
    But all Cloudflare powered sites, tls 1.3 works fine.
     
  13. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Weird, still not working on.
    Version 72.0.3582.0 (Official Build) canary (64-bit)
     
  14. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    Yes works fine.
     
  15. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    3:58 PM
    Nginx 1.15.8
    MariaDB 10.3.12
    Code (Text):
    # ls -la /usr/local/nginx/conf/conf.d/
    total 40
    drwxr-xr-x 2 root root 4096 Oct 17 01:25 .
    drwxr-xr-x 6 root root 4096 Oct 17 01:25 ..
    -rw-r--r-- 1 root root 1120 Oct 17 01:25 demodomain.com.conf
    -rw-r--r-- 1 root root 2313 Oct 17 01:25 phpmyadmin_ssl.conf
    -rw-r--r-- 1 root root 2170 Nov 11  2016 pijanitvor.com.conf-disabled
    -rw-r--r-- 1 root root 4304 Oct 17 01:39 pijanitvor.com.ssl.conf
    -rw-r--r-- 1 root root 1106 Oct 17 01:25 ssl.conf
    -rw-r--r-- 1 root root 1697 Oct 17 01:25 virtual.conf


    Nop

    Firefox and Chrome shows only 1.2
     
  16. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Firefox has it's own crypto library and doesn't use Windows 10 systems so that might explain it somewhat.
    what's output for command
    Code (Text):
    egrep -rn 'ssl_protols|ssl_ciphers' /usr/local/nginx/conf/
    
     
  17. rdan

    rdan Well-Known Member

    4,667
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    9:58 PM
    Mainline
    10.2
    I manually set this and it works:
    upload_2018-10-18_13-10-11.png
     
  18. eva2000

    eva2000 Administrator Staff Member

    41,645
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    11:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    weird seems some Chrome 70 are not defaulting to final TLS 1.3 rfc then
     
    • Agree Agree x 1
  19. buik

    buik Well-Known Member

    1,193
    318
    83
    Apr 29, 2016
    Ratings:
    +937
    Local Time:
    3:58 PM
    It is known that Google performs A / B tests with Chrome.
    It is therefore quite possible that TLS 1.3 is not enabled by default at everyone.
    because they could roll out this feature in phases.

    Or it could be a bug. I had exactly the same with a very recent beta on another machine (test). See start post for more info.
     
    • Informative Informative x 1
  20. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    3:58 PM
    Nginx 1.15.8
    MariaDB 10.3.12
    Here it is...

    Code (Text):
    # egrep -rn 'ssl_protols|ssl_ciphers' /usr/local/nginx/conf/
    /usr/local/nginx/conf/nginx.conf.default:108:    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    /usr/local/nginx/conf/conf.d/ssl.conf:22:#    ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf:27:        ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf:29:  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;