Nginx in jail no TLSv1.3 support.

[Sasquatch]

I have reverse proxy running in jail.
installed
nginx-1.18.0_15
openssl-1.1.1g

both should in theory give TLSv1.3 support/

nginx.conf :

Code:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1;

and every ssl check tool i try detects only TLSv1.2 support, with only TLSv1.3 in config I'm getting no protocol supported error in testers.

I'm still getting A+ on ssllabs.com

 

[Samuel Tai]

Try upgrading openssl. pkg shows openssl is now at 1.1.1g.

 

[Jailer]

You'll have to install nginx from ports with the option DEFAULT_VERSIONS+=ssl=openssl111

 

[Sasquatch]

Try upgrading openssl. pkg shows openssl is now at 1.1.1g.

Done, no change.

You'll have to install nginx from ports with the option DEFAULT_VERSIONS+=ssl=openssl111

Excuse my ignorance, how do i do that?
navigate to nginx port source and build it by invoking make with DEFAULT_VERSIONS+=ssl=openssl111 as parameter?

strange... pkg shows openssl as 1.1.1g but when i run it and enter "version" it returns 1.0.2s...
what even stranger removing openssl doen't stop nginx nor openssl from working... WTF!!!

 

[Sasquatch]

Mystery solved
Openssl ver 1.0.2s is part of standard jail instalation, pkg isn't overwriting binary in /usr/bin/ during installation.

 

[Jailer]

strange... pkg shows openssl as 1.1.1g but when i run it and enter "version" it returns 1.0.2s.

That's because it returns the version of the base openssl.

what even stranger removing openssl doen't stop nginx nor openssl from working... WTF!!!

That just removes the openssl package that you installed, you can't remove the base openssl as other software is dependant upon it.

Excuse my ignorance, how do i do that?

https://www.freebsd.org/doc/handbook/ports-using.html