TLS 1.3 for northbound traffic in Amazon Linux 2

Google Cloud Apigee
,
1

Hi Team,

Is it possible to enable TLS 1.3 on Apigee Router (Private Cloud) in Amazon Linux 2?

The default openssl version is (under root user)

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

I also have 1.1.1 version installed for ec2-user

$ openssl version
OpenSSL 1.1.1g  21 Apr 2020

At the same time, I see that Nginx is built with an old 1.0.2k version

#  /opt/nginx/sbin/nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
...

I’m thinking about rebuilding the Nginx with a 1.1.1 OpenSSL

2

Have you tried just installing openssl 1.1.1 for root user (same as nginx), setup a vhost with SSL and check a TLS 1.3 client? Even though nginx is built using openssl 1.0.2, it should work with whatever openssl is installed on the node at the time of operation.

1 Like
3

Thanks for the reply @neeldey ,

I’ve tried Openssl 1.1.1 under root, but it didn’t make a difference. The VH has TLS 1.3 enabled and router properties are also have

Here is an output

[root]# openssl version
OpenSSL 1.1.1g  21 Apr 2020

[root]# cat /opt/nginx/conf.d/0-default.conf | grep ssl_protocols
ssl_protocols TLSv1.3;

[root]# curl -v --tlsv1.3 "https://localhost:9001/testproxy"
*   Trying 127.0.0.1:9001...
* Connected to localhost (127.0.0.1) port 9001 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure