-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to enable specific ciphers #247
Comments
Hi ivanvaccari, Can you post your nginx.conf file and explain how you mount it into the container. On a |
Hi, this is is the nginx.config in use:
The needed cipher is TLS_RSA_WITH_AES_128_GCM_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/) The compose configuration used to launch the instance:
|
Well, if you look at the at the list of ciphers you listed:
You see that none of the other alternatives have underscores in them. If you follow your link you also see the "openssl name" ( |
Used all the names in various tentatives. Currently the ssl_ciphers i'm using is
And the value is correctly set in the container:
shows:
However it's not active (testing from a local cli):
Neither ssllabs shows it. Does the fact that the container uses openssl 3 have something that influences it? |
Did you restart or just reload the container after changing the config? And does nginx say anything in the logs about any problems? |
Questions regarding how nginx interacts with openssl is probably better to ask in the parent container's GitHub since we just add some nice to have she'll scripts at startup and don't touch nginx at all. |
i'm using docker swarm to manage images, the command i usually use to force the reload is this:
Actually i'm not 100% sure what it does, but it should restart the container because usually it creates/remove containers before creating new ones. |
If you see the config changed inside the container then I think it does a full restart of it, as is necessary with file mounts, so that is good. The TLS_RSA_WITH_AES_128_GCM_SHA256 (AES128-GCM-SHA256) cipher suite is part of TLS1.2, and appears to be supported by OpenSSL v3, so I don't think that is the problem. You don't happen to override something through the other configuration files here?
Then I would suggest you restart the container with the environment variable |
No overrides apparently. redirector is the default of the image, default.cnf is the following:
I'll try |
Unless there is something in the log you should probably reach out to the Nginx community to potentially get answers from those who knows this program in more detail than me :) |
I feel a little bit stupid to ask this question: i have enabled the DEBUG=1 flag, also by adding the "debug" directive to the "error_log" (docs here https://nginx.org/en/docs/debugging_log.html) but... where i'm supposed to read this log? The Some ideas? |
The parent image forwards (by default) the logs to stdout and stderr so it can be handled by the Docker log collector. |
Docker swarm is just an alternative mode to orchestrate containers, but all the other options of docker ar still available. Definitely, I'ts horrible to say it, but to make it work i've proxied the set of specific REST api used by that old system via a unencrypted http endpoint. The sysadmin of the remote system don't want to enable more modern ciphers on their system. |
This seems like a little bit unexpected behavior since OpenSSL defines it as being part of TLS1.2, but using the Mozilla generator your linked the cipher mentioned only show up on the OLD setting which defines all the other TLS versions as well.
a last try could perhaps be to add these as well to see if it works? While I think the remote system is in the wrong (and I sure hope they don't handle any sensitive data), you could point a "legacy" domain name to your old Nginx deployment and then just let it establish a connection with your new Nginx for this particular system. |
Also, I don't think this ciphser needs it, but you could also try to add the |
Already tried (was one of the first things i did), but it still only enable TLS>=1.2, probably due to this: openssl/openssl#13299 (comment) I'm stopping following this problem for now and maturate some other ideas/research |
Alright, you could also post this issue for the original Nginx container to see if someone have similar experiences: https://github.com/nginxinc/docker-nginx |
Fyi: this solved the issue: nginxinc/docker-nginx#893 Quick solution: AES128-GMC-SHA256 requires a rsa key-based ssl certificate to be enabled: From but the certificate generated by docker.nginx-certbot is ECDSA-based. I have deleted the previous certificate and set |
Thank you for returning with the answer here, today I learned something as well! In the linked issue they mention dual certificates, and we actually have an example here if you are interested: https://github.com/JonasAlfredsson/docker-nginx-certbot/blob/master/examples/example_server_multicert.conf |
I need to enable a specific ciphers for Tls v1.2 wich is used by an old system to connect to our service via nginx as reverse proxy.
The deault ssl configuration don't let the service connect and give us a generic "ssl handshake failed". After some research i found out i need to enable the AES128-GCM-SHA256 cipher, but despite adding it to the nginx.conf file, which the gets mounted in the image, nginx won't use it.
Using ssllabs.com tool the cipher suite i get is the following one:
which does not include the needed cipher.
I'm getting a bit lost online searching for various infos, it looks like that if:
Then it sould appear and be available. But it's not.
An older setup (nginx directly installed in the host, not via docker) from which the config was copy-pasted does allow the usage, as confirmed via ssllabs tool:
There's something about it i need to know?
The text was updated successfully, but these errors were encountered: