docker-nginx icon indicating copy to clipboard operation
docker-nginx copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

TLS1.0 support - nginx:1.25.3, all versions

Open Chokoabigail opened this issue 1 year ago • 7 comments

Describe the bug

The latest version of nginx (nginx:1.25.3, from all versions) does not support TLS1.0.

To reproduce

Deploy nginx:1.25.3 and set nginx ssl_protocols to TLSv1 TLSv1.1 TLSv1.2 TLSv1.3, you can put in the ssl_ciphers what ever value you want0

Expected behavior

Working TLS1.0 - can be tested using OpenSSL client.

Your environment

My OS is Ubuntu 22, when I used a different nginx flavor image (Openresty the latest version) on the same OS, TLS 1 worked without any issue, so from this, I learned that this is not an OS issue, this is about the nginx docker itself.

Additional context

After searching online, I found a few recommended solutions:

A.Edit /etc/ssl/openssl.cnf and add to it:

[openssl_init]
 providers = provider_sect
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+CipherString = DEFAULT@SECLEVEL=0

B. add this ssl_ciphers DEFAULT@SECLEVEL=0; to the nginx conf.

I tried both of the methods, I edited /etc/ssl/openssl.cnf inside and outside the docker, and I tried the B option, but none of that worked, I read in another post that the Alpine version didn't compile in the TLS1.0 support so I switched from the alpine version to the regular nginx:1.25.3 and still nothing worked (including after I tried the above in it and outside it).

How can I make it work? is there a specific version of the regular Nginx that works with this? Do I need to do something differently to make it work? I must support TLS1.0 as well...

Chokoabigail avatar Jan 15 '24 09:01 Chokoabigail

Ideally looking for a version that supports both TLS1.0 and http2

Chokoabigail avatar Jan 15 '24 10:01 Chokoabigail

Hi @Chokoabigail!

TLS 1.0 and http2 seem to work fine with nginx:1.25.3 which is Debian-based.

The following configuration confirms:

    server {
	    server_name _;
	    listen 443 ssl;
	    http2 on;
	    ssl_certificate /etc/nginx/cert.pem;
	    ssl_certificate_key /etc/nginx/key.pem;
	    ssl_ciphers 'DEFAULT@SECLEVEL=0';
	    location / { return 200 'OK - $ssl_protocol - $ssl_cipher\n'; }
    }

And testing with curl from inside the image:

# curl --ciphers 'DEFAULT@SECLEVEL=0' --tls-max 1.0 https://127.0.0.1:443/ -k
OK - TLSv1 - ECDHE-RSA-AES256-SHA

thresheek avatar Jan 16 '24 21:01 thresheek

Hi @Chokoabigail !

Have you been able to figure out the issue with your TLS setup?

thresheek avatar Mar 09 '24 01:03 thresheek