TLS 1.3 for northbound traffic in Amazon Linux 2

VadymS · 04-12-2023 01:07 AM

Hi Team,

Is it possible to enable TLS 1.3 on Apigee Router (Private Cloud) in Amazon Linux 2?

The default openssl version is (under root user)

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

I also have 1.1.1 version installed for ec2-user

$ openssl version
OpenSSL 1.1.1g  21 Apr 2020

At the same time, I see that Nginx is built with an old 1.0.2k version

#  /opt/nginx/sbin/nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
...

I'm thinking about rebuilding the Nginx with a 1.1.1 OpenSSL

neeldey

Have you tried just installing openssl 1.1.1 for root user (same as nginx), setup a vhost with SSL and check a TLS 1.3 client? Even though nginx is built using openssl 1.0.2, it should work with whatever openssl is installed on the node at the time of operation.

VadymS

Thanks for the reply @neeldey ,

I've tried Openssl 1.1.1 under root, but it didn't make a difference. The VH has TLS 1.3 enabled and router properties are also have

Here is an output

[root]# openssl version
OpenSSL 1.1.1g  21 Apr 2020

[root]# cat /opt/nginx/conf.d/0-default.conf | grep ssl_protocols
ssl_protocols TLSv1.3;

[root]# curl -v --tlsv1.3 "https://localhost:9001/testproxy"
*   Trying 127.0.0.1:9001...
* Connected to localhost (127.0.0.1) port 9001 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure