webserver+openssl 1.1.1c failing to use CHACHA20 ciphers, and fails to launch at all if just TLSv1.3 cipherlist is specified?

PGNet Dev pgnet.dev at gmail.com
Thu Jul 18 03:48:09 UTC 2019


I run nginx 1.17.1 + openssl 1.1.1c on linux.

I typically configure recommended defaults for SSL usage, and it "just works", with ssllabs reporting my sites as healthy with an "A+", fwiw.

Now, I'm currently working setting up a local-only server, attempting to get it to use TLSv1.3/CHACHA20 only.

So I'm trying to tighten down restrictions in config.  With my attempted restrictions in place, I've found that I'm apparently NOT using TLSv1.3/CHACHA20.

The current test setup follows; I'm not clear where the problem is -- in nginx, openssl, or my config of either/both.  I'm _guessing_ it's my usage/config ...

I've installed

	which openssl
		/usr/local/openssl/bin/openssl
	openssl version
		OpenSSL 1.1.1c  28 May 2019

nginx is built with/linked to this version

	nginx -v
		nginx version: nginx/1.17.1
	ldd `which nginx` | grep ssl
		libssl.so.1.1 => /usr/local/openssl/lib64/libssl.so.1.1 (0x00007f95bdc09000)
		libcrypto.so.1.1 => /usr/local/openssl/lib64/libcrypto.so.1.1 (0x00007f95bd6f9000)

With this nginx config

	server {

		listen 10.0.1.20:443 ssl http2;

		server_name test.dev.lan;
		root /data/webapps/nulldir;
		index index.html;

		rewrite_log on;
		access_log  /var/log/nginx/access.log main;
		error_log   /var/log/nginx/error.log info;

		ssl_protocols TLSv1.3 TLSv1.2;
		ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
		ssl_ecdh_curve X25519:prime256v1:secp384r1;
		ssl_prefer_server_ciphers on;

		ssl_trusted_certificate "/usr/local/etc/ssl/myCA/myCA.chain.crt.pem";
		ssl_certificate         "/usr/local/etc/ssl/test/test.ec.crt.pem";
		ssl_certificate_key     "/usr/local/etc/ssl/test/test.ec.key.pem";

	    location / {
	    }

	}

config check is ok,

	nginxconfcheck
		nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
		nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

and  I see a TLS 1.3 handshake,

	openssl s_client -connect 10.0.1.20:443 -CAfile /usr/local/etc/ssl/myCA/myCA.chain.crt.pem
		CONNECTED(00000003)
		Can't use SSL_get_servername
		depth=2 O = dev.lan, OU = myCA, L = NewYork, ST = NY, C = US, emailAddress = admin at dev.lan, CN = myCA_ROOT
		verify return:1
		depth=1 C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = admin at dev.lan
		verify return:1
		depth=0 C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = admin at dev.lan
		verify return:1
		---
		Certificate chain
		 0 s:C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = admin at dev.lan
		   i:C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = admin at dev.lan
		---
		Server certificate
		-----BEGIN CERTIFICATE-----
		MIIEhjCCBAygAwIBAgICELAwCgYIKoZIzj0EAwIwgbAxCzAJBgNVBAYTAlVTMQsw
		...
		VHldKgTNpiGuFA==
		-----END CERTIFICATE-----
		subject=C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = admin at dev.lan

		issuer=C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = admin at dev.lan

		---
		No client certificate CA names sent
		Peer signing digest: SHA384
		Peer signature type: ECDSA
		Server Temp Key: X25519, 253 bits
		---
		SSL handshake has read 1565 bytes and written 373 bytes
		Verification: OK
		---
		New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
		Server public key is 384 bit
		Secure Renegotiation IS NOT supported
		No ALPN negotiated
		Early data was not sent
		Verify return code: 0 (ok)
		---
		---
		Post-Handshake New Session Ticket arrived:
		SSL-Session:
		    Protocol  : TLSv1.3
		    Cipher    : TLS_AES_256_GCM_SHA384
		    Session-ID: CA79B0596A2CCF19BBA9A49E086F99E7F811FAC8349888E37531E46B17FE35A9
		    Session-ID-ctx:
		    Resumption PSK: 9966170E5086490D231260B15CDA6852D0CCDED661D1C075BF0DE3334C89472B158F2524282DD5F1175381B4317D8DC9
		    PSK identity: None
		    PSK identity hint: None
		    SRP username: None
		    TLS session ticket lifetime hint: 300 (seconds)
		    TLS session ticket:
		    0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6   .I.u.F........Z.
		    ...
		    00d0 - 49 e4 e0 50 62 3b 45 a5-10 f9 9e 2e 43 09 41 40   I..Pb;E.....C.A@

		    Start Time: 1563419052
		    Timeout   : 7200 (sec)
		    Verify return code: 0 (ok)
		    Extended master secret: no
		    Max Early Data: 0
		---
		read R BLOCK
		---
		Post-Handshake New Session Ticket arrived:
		SSL-Session:
		    Protocol  : TLSv1.3
		    Cipher    : TLS_AES_256_GCM_SHA384
		    Session-ID: 1B65B9377224E89FA226C7DC8103E3A57C13798F9FAA0B909BC36E436EE95DC9
		    Session-ID-ctx:
		    Resumption PSK: FEDFC913674474BC83DBE17F4290CA744C92E0763B450C6C489724442E2B2C6F14849A6910356B7ADFFEA3D03D2E7931
		    PSK identity: None
		    PSK identity hint: None
		    SRP username: None
		    TLS session ticket lifetime hint: 300 (seconds)
		    TLS session ticket:
		    0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6   .I.u.F........Z.
		    ...
		    00d0 - c9 d0 19 a1 00 6d 72 37-f7 f4 39 6b dd 48 4d cf   .....mr7..9k.HM.

		    Start Time: 1563419052
		    Timeout   : 7200 (sec)
		    Verify return code: 0 (ok)
		    Extended master secret: no
		    Max Early Data: 0
		---
		read R BLOCK
		closed


but the cipher used is

	TLS_AES_256_GCM_SHA384

NOT either of the CHACHA20 options,

	TLS-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY130

And, if I change nginx to be 'TLSv1.3-only',

-	ssl_protocols TLSv1.3 TLSv1.2;
-	ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
+	ssl_protocols TLSv1.3;
+	ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";

even the webserver config check FAILs,

	nginxconfcheck
		TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
		nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

and the server fails to start.

So I _see_ two issues,

  (1) when the webserver config passes, with not-just-TLS1.3 ciphers enabled in the config, I get an SSL connection, using TLS1.3, but NOT the hoped-for CHACHA20 ciphers.

  (2) when I list ONLY TLS1.3 ciphers, the config check fails, and the server won't start.

What's preventing the use of a just TLSv1.3 cipherlist? & specifically the usage of CHACHA20 ciphers in connection?

My config? My cert? other?

I can certainly provide more detail; just not clear what to gather, atm.


More information about the openssl-users mailing list