timdoug's interesting tidbits

Little bits of technical documentation and such. Hopefully helpful.

2018-12-28

Changing the ciphersuite preference order for TLSv1.3 with OpenSSL and nginx

nginx doesn't (yet) support configuring TLSv1.3 ciphersuite order preference. It's hardcoded in OpenSSL in include/openssl/ssl.h, so to e.g. prioritize ChaCha20 over the AES suites, apply the following patch:

diff -urN openssl-1.1.1a-old/include/openssl/ssl.h openssl-1.1.1a/include/openssl/ssl.h
--- openssl-1.1.1a-old/include/openssl/ssl.h	2018-11-20 13:35:40.000000000 +0000
+++ openssl-1.1.1a/include/openssl/ssl.h	2018-12-26 05:32:44.915797200 +0000
@@ -173,8 +173,8 @@
 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
 /* This is the default set of TLSv1.3 ciphersuites */
 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
-                                   "TLS_CHACHA20_POLY1305_SHA256:" \
+#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+                                   "TLS_AES_256_GCM_SHA384:" \
                                    "TLS_AES_128_GCM_SHA256"
 # else
 #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
Then build as normal: ./configure --with-openssl=/path/to/patched/openssl-1.1.1a etc.

[/security] permanent link


© 2006-18 timdoug | email: "me" at this domain
So necessary