Hi Team,
Is it possible to enable TLS 1.3 on Apigee Router (Private Cloud) in Amazon Linux 2?
The default openssl version is (under root user)
# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
I also have 1.1.1 version installed for ec2-user
$ openssl version
OpenSSL 1.1.1g 21 Apr 2020
At the same time, I see that Nginx is built with an old 1.0.2k version
# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
...
I'm thinking about rebuilding the Nginx with a 1.1.1 OpenSSL
Have you tried just installing openssl 1.1.1 for root user (same as nginx), setup a vhost with SSL and check a TLS 1.3 client? Even though nginx is built using openssl 1.0.2, it should work with whatever openssl is installed on the node at the time of operation.
Thanks for the reply @neeldey ,
I've tried Openssl 1.1.1 under root, but it didn't make a difference. The VH has TLS 1.3 enabled and router properties are also have
Here is an output
[root]# openssl version
OpenSSL 1.1.1g 21 Apr 2020
[root]# cat /opt/nginx/conf.d/0-default.conf | grep ssl_protocols
ssl_protocols TLSv1.3;
[root]# curl -v --tlsv1.3 "https://localhost:9001/testproxy"
* Trying 127.0.0.1:9001...
* Connected to localhost (127.0.0.1) port 9001 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure