openssl – Nginx with only TLS1.3 cipher suites


I am trying to configure Nginx to use only TLS1.3 with 2 ciphers: TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256.

So, I tried this configuration:

ssl_protocols TLSv1.3;
ssl_ciphers TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256;

But nginx -s reload errors out with

nginx: (emerg) SSL_CTX_set_cipher_list("TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)", "operationName": "Default", "category": "Default"}

Looks like I need to append at least one non-TLS1.3 cipher to make the config work. I tried various such combinations and they worked. One of them is:

TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

Why is it so? I think it’s happening because OpenSSL itself doesn’t accept the original ciphersuite string. I am using OpenSSL-1.1.1g.

root@2ed6cae6e062:/azure/appgw# openssl ciphers -v TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256
Error in cipher list
140686067873536:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2558:

There are some useful links I came across but couldn’t figure out how to achieve what I want – using only TLS1.3 ciphersuites.

https://forum.nginx.org/read.php?2,284909,284914#msg-284914
https://trac.nginx.org/nginx/ticket/1529
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites