I have started bionic lxd container with nginx and snakeoil certificates. # patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx
And connect from the host system which has stock openssl.cnf $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 ^C Back in the container # patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx Connecting to the container again externally: $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 ^C # patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # systemctl restart nginx So using the above patches to openssl.cnf I was able to reorder chipersuites of stock bionic nginx, and cap to TLSv1.2. So with attached ** Changed in: openssl (Ubuntu Bionic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Disco) Status: New => Incomplete ** Changed in: openssl (Ubuntu Cosmic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Eoan) Assignee: Dimitri John Ledkov (xnox) => (unassigned) ** Changed in: openssl (Ubuntu Eoan) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs