Use different ways to set ciphers for TLS 1.3

Openssl have a different way to set ciphers for TLS 1.3. If you using ssl_ciphers with only TLS 1.3 nginx will fail to start. You need to use "ssl_conf_command Ciphersuites" command in nginx. I implement it that way that I check in the template if tls version is set to 1.3 if so use the new syntax. Links: https://forum.nginx.org/read.php?11,287698 mozilla/ssl-config-generator#124 https://wiki.openssl.org/index.php/TLS1.3
dgo- · Jan 30, 2023 · 2a42fd3 · 2a42fd3
1 parent 5a60749
commit 2a42fd3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/nginx.conf.jinja b/nginx.conf.jinja
@@ -26,7 +26,11 @@ http {
 
     # Global TLS settings
     ssl_protocols {{ ssl_protocols }};
+    {% if ssl_protocols == "TLSv1.3" -%}
+    ssl_conf_command Ciphersuites {{ ssl_ciphers }};
+    {%- else -%}
     ssl_ciphers {{ ssl_ciphers }};
+    {%- endif %}
     ssl_session_cache {{ ssl_session_cache }};
     ssl_prefer_server_ciphers {{ ssl_prefer_server_ciphers }};
     ssl_stapling {{ ssl_stapling }};