Use different ways to set ciphers for TLS 1.3 #14
Conversation
Openssl have a different way to set ciphers for TLS 1.3. If you using ssl_ciphers with only TLS 1.3 nginx will fail to start. You need to use "ssl_conf_command Ciphersuites" command in nginx. I implement it that way that I check in the template if tls version is set to 1.3 if so use the new syntax. Links: https://forum.nginx.org/read.php?11,287698 mozilla/ssl-config-generator#124 https://wiki.openssl.org/index.php/TLS1.3
|
Good catch. I'm not convinced yet to use the same variable for both cipher suites, though. TLSv13 and TLSv12 might be used alongside. The current config doesn't allow for TLSv13 cipher suite specification (not critical, as they are by default quite good). But currently, it's not possible to specify I'd vote for a cleaner approach on using a second option, either I'd still set |
|
Make sense! I would go for the approve add an extra variable(pillar) I would set default the I would default to an empty list, because the nginx default is also not set. In the template would do a for loop over the list, so we only set it if something is in the list. As you suggested I would always set the What do you think about the approve? |
Intoduce also a ssl_conf_command variable to modify the values.
pillar.example
Outdated
| @@ -6,6 +6,7 @@ nginx: | |||
| # This values can be overwritten in each server context individually. | |||
| ssl_protocols: 'TLSv1.2 TLSv1.3' | |||
| ssl_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' # noqa: 204 | |||
| ssl_conf_command: [] | |||
There was a problem hiding this comment.
I think you should add a "real" example on how to use this, but mention the default is empty (maybe in a seperate paragraph), then test for that change to actually be in the file in the test below.
|
Yes, that sounds like a good plan! I think you can use the example you provided above in |
Updated test related to the pillar change.
Co-authored-by: Chris Aumann <[email protected]>
pillar.example
Outdated
| # Each string needs to hold all arguments for ssl_conf_command, like in the example below. | ||
| # An empty list ([], the default) results in no entries added to nginx.conf | ||
| ssl_conf_command: [ 'Options PrioritizeChaCha', 'Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384'] | ||
|
|
Co-authored-by: Chris Aumann <[email protected]>
|
Perfect, thanks! |
Openssl have a different way to set ciphers for TLS 1.3. If you using ssl_ciphers with only TLS 1.3 nginx will fail to start. You need to use "ssl_conf_command Ciphersuites" command in nginx.
I implement it that way that I check in the template if TLS version is set to 1.3 if so use the new syntax.
Links:
https://forum.nginx.org/read.php?11,287698
mozilla/ssl-config-generator#124
https://wiki.openssl.org/index.php/TLS1.3