• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Nginx with TLS 1.3 supported but not used by Browser

Servus

Servus

Basic Pleskian
Hi,
as mentioned in other threads, I followed the tutorial by UFHH01 to use self-compiled Nginx with TLSv1.3, Brotli and Pagespeed. Through all new Nginx releases until 1.13.9 it worked like a charm, successful all the time, independent of all changes of the other involved components for ngx_pagespeed and pagespeed for itself.

Now, with Nginx 1.13.10 crazy things happens. Installation was also successful like usual.
Qualys shows Draft-18 supported !!! Grade A+ with 390%.

BUT Firefox shows and uses only TLSv1.2 ???

Investigation in nginx log:
2018/03/24 21:28:07 [crit] 19857#19857: *16156 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 206.80.118.118, server: 82.165.145.136:443
Click to expand...

I'm not sure if this error is caused by cipher suites. Since days I read and study all relevant docs about openssl, ciphers, new changes of Nginx changes, and also Firefox.
Please, has someone an idea to fix this problem.
 
Last edited:
As far as I know, Firefox supports TLS 1.3, but this version is not enabled by default. The main reason for that, likely, is that it is still only available as a draft.
So, try to enable TLSv1.3 version for Firefox with following method:
  1. Load about:config in the Firefox address bar. Confirm that you will be careful if the warning screen is shown. The Firefox Configuration editor opens.
  2. Search for security.tls.version.max
  3. Change the value of the preference to 4 by double-clicking on it.
 
Thank you for answering and really good advice.
I already knew it and made the Firefox value 4 change over half an year ago.
Exactly this is what makes me wondering, Qualys says "OK" draft-18 and TLS 1.3 YES and supported.
But Chrome and Firefox fallback to TLS 1.2 for the missing handshake.
Think it came by browser updates or other updates (OpenSSL),

Greets
 
This seems to be a build-problem (nginx or openssl or both), and sorry i have no solution. In the handshake-phase, firefox can not take the 1.3-Path so it falls back to 1.2. If you tell nginx only to allow 1.3 (not 1.2 fallback), the debug-log of nginx says

2018/10/05 20:19:05 [info] 3021#3021: *1
SSL_do_handshake() failed
(SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking,
client: 79.246.106.81, server: .0.0.0:443

Firefox 62.0.3 says

SSL_ERROR_PROTOCOL_VERSION_ALERT

so it seems not to be possible to run a "TLS 1.3 only" - server. FireFox has Problems with the Handshake.
nginx/1.15.5 and openssl 1.1.1
 
You must log in or register to reply here.

Similar threads

learning_curve
Resolved Plesk 17.8.11 / Ubuntu 18.04.3 LTS / OpenSSL / TLSv1.3
Replies
2
Views
2K
learning_curve
learning_curve
Dukemaster
Question Updating special OpenSSL version
Replies
1
Views
1K
mr-wolf
M
Dukemaster
Resolved Redis and ngx_pagespeed configuration
Replies
12
Views
6K
Dukemaster
Dukemaster
Dukemaster
Input PLESK reaches the stars with only Nginx + HSTS (390%)
Replies
1
Views
2K
mr-wolf
M
U
Input How to compile NGINX with additional modules ( pagespeed / cache_purge / headers-more / and others )
4 5 6
Replies
114
Views
55K
quantim
Q
Back
Top