Решил тут настроить TLSv1.3. Установленные версии Nginx и OpenSSL вроде как уже имеют его поддержку.
Прописал нужные версии и актуальные чиперсы:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
Ребутнул nginx. Проверяю в ssllabs.com. Работают только 1.0 и 1.2. 1.3 нет и откуда то появился 1.0.
apt-cache policy nginx
nginx:
Installed: 1.14.2-2+deb10u1
Candidate: 1.14.2-2+deb10u1
Version table:
*** 1.14.2-2+deb10u1 500
500 http://deb.debian.org/debian buster/main amd64 Packages
500 http://security.debian.org buster/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.14.1-1~bpo9+1 100
100 http://mirror.hetzner.de/debian/packages stretch-backports/main amd64 Packages
1.10.3-1+deb9u3 500
500 http://mirror.hetzner.de/debian/packages stretch/main amd64 Packages
500 http://mirror.hetzner.de/debian/security stretch/updates/main amd64 Packages
apt-cache policy openssl
openssl:
Installed: 1.1.1g-1+0~20200421.17+debian10~1.gbpf6902f
Candidate: 1.1.1g-1+0~20200421.17+debian10~1.gbpf6902f
Version table:
*** 1.1.1g-1+0~20200421.17+debian10~1.gbpf6902f 500
500 https://packages.sury.org/php buster/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1d-0+deb10u3 500
500 http://deb.debian.org/debian buster/main amd64 Packages
500 http://security.debian.org buster/updates/main amd64 Packages
1.1.0l-1~deb9u1 500
500 http://mirror.hetzner.de/debian/packages stretch/main amd64 Packages
500 http://mirror.hetzner.de/debian/security stretch/updates/main amd64 Packages
nginx -V
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1g 21 Apr 2020)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-subs-filter
Как я понимаю, нужно пересобирать nginx с использованием OpenSSL 1.1.1g или как-то можно решить без пересборки?
