docker-nginx
docker-nginx copied to clipboard
nginxinc
1.27 and tls1.2
Describe the bug
I'm trying to use tls1.2 and it doesn't work. Goes to tls1.3.
To reproduce
Steps to reproduce the behavior:
- docker compose, build image from 'nginx:1.27'
- use tls.12
- only loads through 1.3
Expected behavior
page should be loaded through tls1.2 as well. If not possible then it shouldn't be loaded since tls1.3 is not available.
Your environment
- docker image nginx:1.27
Additional context
No additional configuration (worth mentioning)
listen 443 ssl;
listen [::]:443 ssl;
# http2 on;
ssl_protocols TLSv1.2;
When I do nmap (inside the container) I get:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
| cipher preference: server
|_ least strength: A
Using letsencrypt, if useful.
Even though tls1.3 is not enabled in nginx config, page is loaded.
Hello!
I cant reproduce with the following example:
$ ls -la
total 24
drwxrwxr-x 2 thresh thresh 4096 Sep 9 20:25 .
drwxr-xr-x 39 thresh thresh 12288 Sep 9 20:24 ..
-rw-rw-r-- 1 thresh thresh 2949 Sep 9 20:25 cert.pem
-rw-rw-r-- 1 thresh thresh 224 Sep 9 20:24 tls.conf
$ cat tls.conf
server {
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/cert.pem;
ssl_protocols tlsv1.2;
location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }
}
$ docker run -d -v $(pwd)/:/etc/nginx/conf.d/ -p 9443:443 nginx:1.27
eb14f2f6e7869f28375c715a18cf6945b301b51cfe2ea36fe276a7b3646cf798
$ curl -k https://127.0.0.1:9443/test
OK: TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384
$ curl --tlsv1.3 -k https://127.0.0.1:9443/test
curl: (35) error:0A00042E:SSL routines::tlsv1 alert protocol version
Please post your whole configuration if you still see the error even with minimal config like the one I have.
@thresheek , you are right, it works.
But then I did some more debugging:
nginx:1.27, nginx.conf is the default one
in my /etc/nginx/conf.d I have:
01-subdomain1.domain.com.conf
` server { listen 443 ssl; listen [::]:443 ssl; http2 on;
server_name subdomain1.domain.com;
ssl_certificate /etc/letsencrypt/live/subdomain1.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain1.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/subdomain1.domain.com/chain.pem;
# Strong cipher list : https://cipherlist.eu/
ssl_protocols TLSv1.3;
location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }
} `
and 02-subdomain2.domain.com.conf
` server { listen 443 ssl; listen [::]:443 ssl; http2 on;
server_name subdomain2.domain.com;
ssl_certificate /etc/letsencrypt/live/subdomain2.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain2.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/subdomain2.domain.com/chain.pem;
# Strong cipher list : https://cipherlist.eu/
ssl_protocols TLSv1.2;
location / { return 200 'OK: $ssl_protocol: $ssl_cipher\n'; }
} `
And with this config I'm only able to get TLS1.3 on my subdomain2.
BUT if I add TLSv1.2 to ssl_protocols in subdomain1 nginx conf, then I'm able to get a TLSv1.2 response on my sumbdomain2.
As if the security standards in 01 have higher priority than in 01. Notice the naming (starting with 01-, 02-, ...), this is how it's processed by nginx.
Any idead?