Today I was struggling with a weird issue. For some reason my Nginx server on Debian would only allow TLSv1.3. And Apache Pulsar use a slighty older version of AsyncHttpClient that only supported TLSv1.2 and older for OAuth2 token exchange.
This caused the protocol_version SSL exception when starting my Java clients that connects to Apache Pulsar using OAuth2 Authentication.
The fix is easy though: First analyze what SSL Ciphers and protocols your web server allows.
nmap --script ssl-enum-ciphers -p 443 192.168.1.10
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
No support for TLSv1.2, even though I have this configured in my virtual host:
server {
listen 443 ssl http2;
....
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers '......';
ssl_prefer_server_ciphers on;
....
Figuring this out was really frustrating, but the solution was simple. Debian does not provide a default 443 section, so you need to edit the file:
sudo vim /etc/nginx/sites-enabled/default
And add this to the bottom of the file:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate ...
ssl_certificate_key ...
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers '....';
ssl_prefer_server_ciphers on;
}
The result:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| cipher preference: server
|_ least strength: A