NGINX not supporting tls1.2 ciphers

0
votes

I want to add few TLS 1.2 Cipher in nginx (v1.16.1) and only 2 of them works.

Below is the list of cipher I want to get supported.

DHE-RSA-AES128-GCM-SHA256;

ECDHE-RSA-AES128-GCM-SHA256; --> This works

DHE-RSA-AES256-GCM-SHA384;

ECDHE-RSA-AES256-GCM-SHA384; --> this works

ECDHE-ECDSA-AES256-GCM-SHA384;

Added below lines in by default.conf

server {

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384";

...
}

I am using open ssl command to test them out

openssl s_client -cipher DHE-RSA-AES128-GCM-SHA256 -connect localhost:8443  -tls1_2
openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect localhost:8443  -tls1_2
openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384 -connect localhost:8443  -tls1_2
openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -connect localhost:8443  -tls1_2
openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect localhost:8443  -tls1_2

One marked works gives result rest all fail like below

openssl s_client -cipher DHE-RSA-AES128-GCM-SHA256 -connect localhost:8443  -tls1_2
CONNECTED(00000218)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 118 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1599152280
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
36400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-1.1.1d/ssl/record/rec_layer_s3.c:1543:SSL alert number 40

Is there is something wrong with my configuration or the ciphers are not supported.

1
nginxopenssltls1.2
For TLS1.2 and below you need to create (or obtain) a set of DH parameters in a file, and specify it using ssl_dhparam otherwise "DHE ciphers will not be used". openssl dhparam $nbits is a simple way to generate suitable parameters. (ECDHE is different because it uses standardized curves, not user-definable groups.) - dave_thompson_085

1 Answers

1
votes

For Diffie Hellman key exchange you need to provide nginx with dhparam:

openssl dhparam -out /etc/ssl/certsdhparam.pem 4096

and configure it in nginx conf:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

See reference

For ECDHE-ECDSA-AES256-GCM-SHA384; you also need to use a ecdsa key and certificate. See guide

Hybrid RSA and ECDSA certificates examle conf:

ssl_certificate /path/to/rsa.crt;
ssl_certificate_key /path/to/rsa.key;
ssl_certificate /path/to/ecdsa.crt;
ssl_certificate_key /path/to/ecdsa.key;

See reference