• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Nginx with TLS 1.3 supported but not used by Browser

Servus

Servus

Basic Pleskian
Hi,
as mentioned in other threads, I followed the tutorial by UFHH01 to use self-compiled Nginx with TLSv1.3, Brotli and Pagespeed. Through all new Nginx releases until 1.13.9 it worked like a charm, successful all the time, independent of all changes of the other involved components for ngx_pagespeed and pagespeed for itself.

Now, with Nginx 1.13.10 crazy things happens. Installation was also successful like usual.
Qualys shows Draft-18 supported !!! Grade A+ with 390%.

BUT Firefox shows and uses only TLSv1.2 ???

Investigation in nginx log:
2018/03/24 21:28:07 [crit] 19857#19857: *16156 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 206.80.118.118, server: 82.165.145.136:443
Click to expand...

I'm not sure if this error is caused by cipher suites. Since days I read and study all relevant docs about openssl, ciphers, new changes of Nginx changes, and also Firefox.
Please, has someone an idea to fix this problem.
 
Last edited:
As far as I know, Firefox supports TLS 1.3, but this version is not enabled by default. The main reason for that, likely, is that it is still only available as a draft.
So, try to enable TLSv1.3 version for Firefox with following method:
  1. Load about:config in the Firefox address bar. Confirm that you will be careful if the warning screen is shown. The Firefox Configuration editor opens.
  2. Search for security.tls.version.max
  3. Change the value of the preference to 4 by double-clicking on it.
 
Thank you for answering and really good advice.
I already knew it and made the Firefox value 4 change over half an year ago.
Exactly this is what makes me wondering, Qualys says "OK" draft-18 and TLS 1.3 YES and supported.
But Chrome and Firefox fallback to TLS 1.2 for the missing handshake.
Think it came by browser updates or other updates (OpenSSL),

Greets
 
This seems to be a build-problem (nginx or openssl or both), and sorry i have no solution. In the handshake-phase, firefox can not take the 1.3-Path so it falls back to 1.2. If you tell nginx only to allow 1.3 (not 1.2 fallback), the debug-log of nginx says

2018/10/05 20:19:05 [info] 3021#3021: *1
SSL_do_handshake() failed
(SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking,
client: 79.246.106.81, server: .0.0.0:443

Firefox 62.0.3 says

SSL_ERROR_PROTOCOL_VERSION_ALERT

so it seems not to be possible to run a "TLS 1.3 only" - server. FireFox has Problems with the Handshake.
nginx/1.15.5 and openssl 1.1.1
 
You must log in or register to reply here.

Similar threads

learning_curve
Resolved Plesk 17.8.11 / Ubuntu 18.04.3 LTS / OpenSSL / TLSv1.3
Replies
2
Views
3K
learning_curve
learning_curve
Dukemaster
Question Updating special OpenSSL version
Replies
1
Views
2K
mr-wolf
M
Dukemaster
Resolved Redis and ngx_pagespeed configuration
Replies
12
Views
7K
Dukemaster
Dukemaster
Dukemaster
Input PLESK reaches the stars with only Nginx + HSTS (390%)
Replies
1
Views
2K
mr-wolf
M
U
Input How to compile NGINX with additional modules ( pagespeed / cache_purge / headers-more / and others )
4 5 6
Replies
114
Views
63K
quantim
Q
Back
Top