• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Nginx with TLS 1.3 supported but not used by Browser

Servus

Basic Pleskian
Hi,
as mentioned in other threads, I followed the tutorial by UFHH01 to use self-compiled Nginx with TLSv1.3, Brotli and Pagespeed. Through all new Nginx releases until 1.13.9 it worked like a charm, successful all the time, independent of all changes of the other involved components for ngx_pagespeed and pagespeed for itself.

Now, with Nginx 1.13.10 crazy things happens. Installation was also successful like usual.
Qualys shows Draft-18 supported !!! Grade A+ with 390%.

BUT Firefox s
hows and uses only
TLSv1.2 ???

Investigation in nginx log:
2018/03/24 21:28:07 [crit] 19857#19857: *16156 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 206.80.118.118, server: 82.165.145.136:443

I'm not sure if this error is caused by cipher suites. Since days I read and study all relevant docs about openssl, ciphers, new changes of Nginx changes, and also Firefox.
Please, has someone an idea to fix this problem.
 
Last edited:
As far as I know, Firefox supports TLS 1.3, but this version is not enabled by default. The main reason for that, likely, is that it is still only available as a draft.
So, try to enable TLSv1.3 version for Firefox with following method:
  1. Load about:config in the Firefox address bar. Confirm that you will be careful if the warning screen is shown. The Firefox Configuration editor opens.
  2. Search for security.tls.version.max
  3. Change the value of the preference to 4 by double-clicking on it.
 
Thank you for answering and really good advice.
I already knew it and made the Firefox value 4 change over half an year ago.
Exactly this is what makes me wondering, Qualys says "OK" draft-18 and TLS 1.3 YES and supported.
But Chrome and Firefox fallback to TLS 1.2 for the missing handshake.
Think it came by browser updates or other updates (OpenSSL),

Greets
 
This seems to be a build-problem (nginx or openssl or both), and sorry i have no solution. In the handshake-phase, firefox can not take the 1.3-Path so it falls back to 1.2. If you tell nginx only to allow 1.3 (not 1.2 fallback), the debug-log of nginx says

2018/10/05 20:19:05 [info] 3021#3021: *1
SSL_do_handshake() failed
(SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking,
client: 79.246.106.81, server: .0.0.0:443

Firefox 62.0.3 says

SSL_ERROR_PROTOCOL_VERSION_ALERT

so it seems not to be possible to run a "TLS 1.3 only" - server. FireFox has Problems with the Handshake.
nginx/1.15.5 and openssl 1.1.1
 
Back
Top