How do I disable just one cipher out of OpenSSL TLSv1.3 list?

nginx openssl ubuntu-18.04 lets-encrypt cipher
5,245

Nginx doesn't support configuring TLS 1.3 cipher suites like this, and you shouldn't, as per RFC 8446, 9.1 there are Mandatory-to-Implement Cipher Suites.

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).

If you really want to mess with this, you'd have to disable the mandatory cipher suite in the OpenSSL CONF library configuration files openssl.cnf as explained in e.g. Perfect 100 SSL-Labs Score Revisited:

[system_default_sect] 
MinProtocol = TLSv1.2 
CipherString = DEFAULT@SECLEVEL=2 
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 
Options = ServerPreference,PrioritizeChaCha 
...

This will state to your OS that the minimum TLS version used is TLS1.2 and the Ciphersuites to use ar the ones specified. Please note that I have only specified TLS1.3 suites. If you need TLS1.2 support, do add "some" of them.

Share:
5,245
Hadi
Author by

Hadi

Updated on September 18, 2022

Comments

  • Hadi
    Hadi over 1 year

    I use Nginx + Let's Encrypt with OpenSSL on my server. I wanted to use TLSv1.2 and TLSv1.3. But I wanted to use very specific SSL ciphers. Specifically:

    • TLS_AES_256_GCM_SHA384 (TLSv1.3),
    • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3),
    • ECDHE-RSA-AES256-GCM-SHA384 (TLSv1.2),
    • ECDHE-RSA-CHACHA20-POLY1305 (TLSv1.2),
    • DHE-RSA-AES256-GCM-SHA384 (TLSv1.2),
    • DHE-RSA-CHACHA20-POLY1305 (TLSv1.2),

    but not TLS_AES_128_GCM_SHA256 (TLSv1.3). I have done multiple configuration on Nginx configuration file to disable this cipher but it didn't work. Some of them are:

    • ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"; - Adding double quotes
    • ssl_ciphers "!TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"; - Adding ! to that cipher
    • ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 - Without double quotes

    So how do I achieve this? Thank you and have a nice day.

  • Michael Hampton
    Michael Hampton over 3 years
    Note that if you do this, you won't be able to communicate via TLS 1.3 with a minimal TLS 1.3 implementation that only has TLS_AES_128_GCM_SHA256. I'm not aware of any such implementation right now, but there probably is one out there somewhere, maybe in IoT devices...
  • Hadi
    Hadi over 3 years
    I would try this in an hour. This looks promising. Thank you!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

nginx critical error with SSL handshaking
NGINX - "server" directive is not allowed here
Tornado SSL certs
Missing `secret_key_base` for 'production' environment on Ubuntu 18.04 server (Rails 6.0), multiple topics tried
Let's Encrypt unauthorized 403 forbidden
Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04
How to enable TLS 1.2 in Nginx?
nginx ./configure can't find openssl
Permissions for SSL key?
How to install cert-bot/letsencypt on Ubuntu?