I use Nginx + Let's Encrypt with OpenSSL on my server. I wanted to use TLSv1.2 and TLSv1.3. But I wanted to use very specific SSL ciphers. Specifically:
TLS_AES_256_GCM_SHA384
(TLSv1.3),TLS_CHACHA20_POLY1305_SHA256
(TLSv1.3),ECDHE-RSA-AES256-GCM-SHA384
(TLSv1.2),ECDHE-RSA-CHACHA20-POLY1305
(TLSv1.2),DHE-RSA-AES256-GCM-SHA384
(TLSv1.2),DHE-RSA-CHACHA20-POLY1305
(TLSv1.2),
but not TLS_AES_128_GCM_SHA256
(TLSv1.3). I have done multiple configuration on Nginx configuration file to disable this cipher but it didn't work. Some of them are:
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
– Adding double quotesssl_ciphers "!TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
– Adding!
to that cipherssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
– Without double quotes
So how do I achieve this? Thank you and have a nice day.
Best Answer
Nginx doesn't support configuring TLS 1.3 cipher suites like this, and you shouldn't, as per RFC 8446, 9.1 there are Mandatory-to-Implement Cipher Suites.
If you really want to mess with this, you'd have to disable the mandatory cipher suite in the OpenSSL CONF library configuration files
openssl.cnf
as explained in e.g. Perfect 100 SSL-Labs Score Revisited: