1.27 and tls1.2

[klemenkobetic]

Describe the bug

I'm trying to use tls1.2 and it doesn't work. Goes to tls1.3.

To reproduce

Steps to reproduce the behavior:

1. docker compose, build image from 'nginx:1.27'
2. use tls.12
3. only loads through 1.3

Expected behavior

page should be loaded through tls1.2 as well. If not possible then it shouldn't be loaded since tls1.3 is not available.

Your environment

• docker image nginx:1.27

Additional context

No additional configuration (worth mentioning)

    listen 443      ssl;
    listen [::]:443 ssl;
#    http2 on;
    ssl_protocols TLSv1.2;

When I do nmap (inside the container) I get:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|     cipher preference: server
|_  least strength: A

Using letsencrypt, if useful.

Even though tls1.3 is not enabled in nginx config, page is loaded.

[thresheek]

Hello!

I cant reproduce with the following example:

$ ls -la
total 24
drwxrwxr-x  2 thresh thresh  4096 Sep  9 20:25 .
drwxr-xr-x 39 thresh thresh 12288 Sep  9 20:24 ..
-rw-rw-r--  1 thresh thresh  2949 Sep  9 20:25 cert.pem
-rw-rw-r--  1 thresh thresh   224 Sep  9 20:24 tls.conf

$ cat tls.conf
server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/conf.d/cert.pem;
    ssl_certificate_key /etc/nginx/conf.d/cert.pem;
    ssl_protocols tlsv1.2;
    location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }
}

$ docker run -d -v $(pwd)/:/etc/nginx/conf.d/ -p 9443:443 nginx:1.27
eb14f2f6e7869f28375c715a18cf6945b301b51cfe2ea36fe276a7b3646cf798

$ curl -k https://127.0.0.1:9443/test
OK: TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384

$ curl --tlsv1.3 -k https://127.0.0.1:9443/test
curl: (35) error:0A00042E:SSL routines::tlsv1 alert protocol version

Please post your whole configuration if you still see the error even with minimal config like the one I have.

[klemenkobetic]

@thresheek , you are right, it works.

But then I did some more debugging:

nginx:1.27, nginx.conf is the default one

in my /etc/nginx/conf.d I have:

01-subdomain1.domain.com.conf

`
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

server_name subdomain1.domain.com;
ssl_certificate /etc/letsencrypt/live/subdomain1.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain1.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/subdomain1.domain.com/chain.pem;

# Strong cipher list : https://cipherlist.eu/
ssl_protocols TLSv1.3;

location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }

}
`

and 02-subdomain2.domain.com.conf

`
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

server_name subdomain2.domain.com;
ssl_certificate /etc/letsencrypt/live/subdomain2.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain2.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/subdomain2.domain.com/chain.pem;

# Strong cipher list : https://cipherlist.eu/
ssl_protocols TLSv1.2;

location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }

}
`

And with this config I'm only able to get TLS1.3 on my subdomain2.

BUT if I add TLSv1.2 to ssl_protocols in subdomain1 nginx conf, then I'm able to get a TLSv1.2 response on my sumbdomain2.

As if the security standards in 01 have higher priority than in 01. Notice the naming (starting with 01-, 02-, ...), this is how it's processed by nginx.

Any idead?