Nginx not using TLS 1.2 despite it being in the config

[MCZocker32]

I can’t seem to find help anywhere, so I am asking here additionally.

I need TLS 1.2 for the iOS Apps of Bitwarden and Jellyfin (Swiftfin). I setup my Reverse Proxy to use TLS 1.2, 1.3 with Ciphers from that Mozilla SSL Configurator.

I applied the settings again, I can see these settings in the nginx.conf using the shell and I still don‘t have TLS 1.2. It’s always just TLS 1.3 when I check it with these Testing Sites and I also don‘t have a working App.

Before I used the one built into Synology DSM where it worked.

Anybody here that has an idea?

[OPNsense-bot]

Thank you for creating an issue.
Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[kulikov-a]

any hints in nginx general\access\error logs?
can you share server ssl_* directives values from config? (may be it ssl_ciphers or ssl_prefer_server_ciphers)

I can see these settings in the nginx.conf using the shell

I hope @fichtner will someday have time to look at #3678 and we will try to make it possible to view the config in the GUI 😉

[MCZocker32]

any hints in nginx general\access\error logs? can you share server ssl_* directives values from config? (may be it ssl_ciphers or ssl_prefer_server_ciphers)

Thanks for answering. I can't find anything TLS related in the logs. The ssl_* directives look like this:

ssl_protocols TLSv1.2 TLSv1.3; ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_prefer_server_ciphers off;

I used this for reference. Seems to be something like Synology is using in their Nginx implementation.

[kulikov-a]

got it, thanks. looks good, so i think its OpenSSL work and its not the default server in nginx?
what if you set this params in default_server config or make this server default_server?

[MCZocker32]

Setting the TLS 1.2 one as default_server worked, but now every entry seems to use TLS 1.2. Is that normal?

[kulikov-a]

In my understanding - yes, This is how OpenSSL works: if OpenSSL applies some of the params before the nginx SNI-callback (and it looks like this is still the case from the time of https://forum.nginx.org/read.php?2,254016,254673#msg-254673 ) or there is the lack of SNI info in request - then the default server params will be applied.
so yes, if you need to support the majority of clients, then you need to select a trade-off params on the default server (a client with TLS1.3 support will choose it. older client will choose 1.2)

[MCZocker32]

I couldn’t find anything in that regards, so thanks a lot for that. I guess I should apply the same settings for every entry then to make it even.

What would happen if I had multiple default servers and what exactly is the function of the default server?

[kulikov-a]

What would happen if I had multiple default servers and what exactly is the function of the default server?

There can be only one © default_server for every address:port pair. default_server directive simply allows to manipulate the order in which a server is selected for a suitable socket without changing the order of entries in the config
https://nginx.org/en/docs/http/request_processing.html