webserver+openssl 1.1.1c failing to use CHACHA20 ciphers, and fails to launch at all if just TLSv1.3 cipherlist is specified?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

webserver+openssl 1.1.1c failing to use CHACHA20 ciphers, and fails to launch at all if just TLSv1.3 cipherlist is specified?

PGNet Dev-6
I run nginx 1.17.1 + openssl 1.1.1c on linux.

I typically configure recommended defaults for SSL usage, and it "just works", with ssllabs reporting my sites as healthy with an "A+", fwiw.

Now, I'm currently working setting up a local-only server, attempting to get it to use TLSv1.3/CHACHA20 only.

So I'm trying to tighten down restrictions in config.  With my attempted restrictions in place, I've found that I'm apparently NOT using TLSv1.3/CHACHA20.

The current test setup follows; I'm not clear where the problem is -- in nginx, openssl, or my config of either/both.  I'm _guessing_ it's my usage/config ...

I've installed

        which openssl
                /usr/local/openssl/bin/openssl
        openssl version
                OpenSSL 1.1.1c  28 May 2019

nginx is built with/linked to this version

        nginx -v
                nginx version: nginx/1.17.1
        ldd `which nginx` | grep ssl
                libssl.so.1.1 => /usr/local/openssl/lib64/libssl.so.1.1 (0x00007f95bdc09000)
                libcrypto.so.1.1 => /usr/local/openssl/lib64/libcrypto.so.1.1 (0x00007f95bd6f9000)

With this nginx config

        server {

                listen 10.0.1.20:443 ssl http2;

                server_name test.dev.lan;
                root /data/webapps/nulldir;
                index index.html;

                rewrite_log on;
                access_log  /var/log/nginx/access.log main;
                error_log   /var/log/nginx/error.log info;

                ssl_protocols TLSv1.3 TLSv1.2;
                ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
                ssl_ecdh_curve X25519:prime256v1:secp384r1;
                ssl_prefer_server_ciphers on;

                ssl_trusted_certificate "/usr/local/etc/ssl/myCA/myCA.chain.crt.pem";
                ssl_certificate         "/usr/local/etc/ssl/test/test.ec.crt.pem";
                ssl_certificate_key     "/usr/local/etc/ssl/test/test.ec.key.pem";

            location / {
            }

        }

config check is ok,

        nginxconfcheck
                nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
                nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

and  I see a TLS 1.3 handshake,

        openssl s_client -connect 10.0.1.20:443 -CAfile /usr/local/etc/ssl/myCA/myCA.chain.crt.pem
                CONNECTED(00000003)
                Can't use SSL_get_servername
                depth=2 O = dev.lan, OU = myCA, L = NewYork, ST = NY, C = US, emailAddress = [hidden email], CN = myCA_ROOT
                verify return:1
                depth=1 C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = [hidden email]
                verify return:1
                depth=0 C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = [hidden email]
                verify return:1
                ---
                Certificate chain
                 0 s:C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = [hidden email]
                   i:C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = [hidden email]
                ---
                Server certificate
                -----BEGIN CERTIFICATE-----
                MIIEhjCCBAygAwIBAgICELAwCgYIKoZIzj0EAwIwgbAxCzAJBgNVBAYTAlVTMQsw
                ...
                VHldKgTNpiGuFA==
                -----END CERTIFICATE-----
                subject=C = US, ST = NY, L = NewYork, O = dev.lan, OU = myCA, CN = test.dev.lan, emailAddress = [hidden email]

                issuer=C = US, ST = NY, O = dev.lan, OU = myCA, CN = myCA_INT, emailAddress = [hidden email]

                ---
                No client certificate CA names sent
                Peer signing digest: SHA384
                Peer signature type: ECDSA
                Server Temp Key: X25519, 253 bits
                ---
                SSL handshake has read 1565 bytes and written 373 bytes
                Verification: OK
                ---
                New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
                Server public key is 384 bit
                Secure Renegotiation IS NOT supported
                No ALPN negotiated
                Early data was not sent
                Verify return code: 0 (ok)
                ---
                ---
                Post-Handshake New Session Ticket arrived:
                SSL-Session:
                    Protocol  : TLSv1.3
                    Cipher    : TLS_AES_256_GCM_SHA384
                    Session-ID: CA79B0596A2CCF19BBA9A49E086F99E7F811FAC8349888E37531E46B17FE35A9
                    Session-ID-ctx:
                    Resumption PSK: 9966170E5086490D231260B15CDA6852D0CCDED661D1C075BF0DE3334C89472B158F2524282DD5F1175381B4317D8DC9
                    PSK identity: None
                    PSK identity hint: None
                    SRP username: None
                    TLS session ticket lifetime hint: 300 (seconds)
                    TLS session ticket:
                    0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6   .I.u.F........Z.
                    ...
                    00d0 - 49 e4 e0 50 62 3b 45 a5-10 f9 9e 2e 43 09 41 40   I..Pb;E.....C.A@

                    Start Time: 1563419052
                    Timeout   : 7200 (sec)
                    Verify return code: 0 (ok)
                    Extended master secret: no
                    Max Early Data: 0
                ---
                read R BLOCK
                ---
                Post-Handshake New Session Ticket arrived:
                SSL-Session:
                    Protocol  : TLSv1.3
                    Cipher    : TLS_AES_256_GCM_SHA384
                    Session-ID: 1B65B9377224E89FA226C7DC8103E3A57C13798F9FAA0B909BC36E436EE95DC9
                    Session-ID-ctx:
                    Resumption PSK: FEDFC913674474BC83DBE17F4290CA744C92E0763B450C6C489724442E2B2C6F14849A6910356B7ADFFEA3D03D2E7931
                    PSK identity: None
                    PSK identity hint: None
                    SRP username: None
                    TLS session ticket lifetime hint: 300 (seconds)
                    TLS session ticket:
                    0000 - 1e 49 9a 75 97 46 90 9c-8a ec 1b 8d ac 90 5a a6   .I.u.F........Z.
                    ...
                    00d0 - c9 d0 19 a1 00 6d 72 37-f7 f4 39 6b dd 48 4d cf   .....mr7..9k.HM.

                    Start Time: 1563419052
                    Timeout   : 7200 (sec)
                    Verify return code: 0 (ok)
                    Extended master secret: no
                    Max Early Data: 0
                ---
                read R BLOCK
                closed


but the cipher used is

        TLS_AES_256_GCM_SHA384

NOT either of the CHACHA20 options,

        TLS-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY130

And, if I change nginx to be 'TLSv1.3-only',

- ssl_protocols TLSv1.3 TLSv1.2;
- ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
+ ssl_protocols TLSv1.3;
+ ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256";

even the webserver config check FAILs,

        nginxconfcheck
                TLS13-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
                nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

and the server fails to start.

So I _see_ two issues,

  (1) when the webserver config passes, with not-just-TLS1.3 ciphers enabled in the config, I get an SSL connection, using TLS1.3, but NOT the hoped-for CHACHA20 ciphers.

  (2) when I list ONLY TLS1.3 ciphers, the config check fails, and the server won't start.

What's preventing the use of a just TLSv1.3 cipherlist? & specifically the usage of CHACHA20 ciphers in connection?

My config? My cert? other?

I can certainly provide more detail; just not clear what to gather, atm.