つれづれ日記
Securityカテゴリ 156/156
Fedora 29のnginx 1.12.1でTLS 1.3接続できた。

  • 上のスクリーンショットはChrome 70。
    最初は証明書が9月のままで「有効」と表示され、nginxサーバーのログにTLS 1.3とあるのにChromeはTLS 1.2と表示していた。Chrome内部のキャッシュを削除したところ現在のサーバー証明書の有効期限とTLS 1.3を表示するようになった。
  • サーバー証明書はLets EncryptのECC 384 bit
  • /etc/crypto-policies/configは使わず、nginxで暗号スイートを設定した
    ssl_ciphers	"ECDHE+ECDSA:!SHA";
    ssl_ecdh_curve	secp384r1:secp521r1:prime256v1;
    

$ curl -sIvo /dev/null https://diary.sshida.com/

*   Trying 2001:470:24:798::443...
* TCP_NODELAY set
* Connected to diary.sshida.com (2001:470:24:798::443) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [187 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2675 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [111 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=sshida.com
*  start date: Nov  3 12:16:01 2018 GMT
*  expire date: Feb  1 12:16:01 2019 GMT
*  subjectAltName: host "diary.sshida.com" matched cert's "diary.sshida.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x561744c51530)
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
> HEAD / HTTP/2
> Host: diary.sshida.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
< HTTP/2 200 
< server: nginx
< date: Sat, 03 Nov 2018 14:22:42 GMT
< content-type: text/html;charset=utf-8
< content-language: ja
< cache-control: max-age=86400
< expires: Sun, 04 Nov 2018 14:20:50 GMT
< last-modified: Sat, 03 Nov 2018 14:20:50 GMT
< strict-transport-security: max-age=15552000; preload
< 
* Connection #0 to host diary.sshida.com left intact
Securityカテゴリ 156/156