TLS v1.3 active despite not being enabled in Nginx config

Nginx 1.14.1 built with OpenSSL 1.1.0g

OpenSSL 1.1.0 does not support TLS 1.3

Ubuntu Server 18.04.1, OpenSSL 1.1.1 11 Sep 2018

Ubuntu 18.04.1 comes with OpenSSL 1.1.0g not with OpenSSL 1.1.1.

My guess is that you somehow installed OpenSSL 1.1.1 on your system in a way that replaced the version which comes with the OS. Because nginx uses shared libraries it will use the OpenSSL 1.1.1 you have installed even though it was compiled against OpenSSL 1.1.0g.

The option ssl_protocols TLSv1.2; in nginx is not implemented by only enabling TLS 1.2. Instead all useful protocols are enabled by default and restricting it to TLS 1.2 effectively means that everything but TLS 1.2 gets disabled. But, it can only disable protocols it is aware of and given that nginx was compiled against an OpenSSL version without TLS 1.3 support it is not aware that TLS 1.3 exists and also has no way to disable it, which means that it stays enabled.

Looking at the comment:

Apparently the OpenSSL version is installed over default repository because I use the sury.org PHP PPA.

To fix you also need to install the sury.org repo version of nginx. At time of writing this version of nginx is built with openssl 1.1.1b and TLS 1.3 which is required if we use the ondrej php7.3 lib which replaces the default ubuntu openssl package.

i had to do the same as i was getting a ERR_SSL_VERSION_INTERFERENCE ssl error in chrome.

before:

sudo nginx -V
built with OpenSSL 1.1.0g  2 Nov 2017 (running with OpenSSL 1.1.1b  26 Feb 2019)

run the following:

sudo add-apt-repository ppa:ondrej/nginx
sudo apt update
sudo apt remove nginx
sudo apt install nginx

after:

sudo nginx -V
built with OpenSSL 1.1.1  11 Sep 2018 (running with OpenSSL 1.1.1b  26 Feb 2019)

full instructions here:

https://www.linuxbabe.com/ubuntu/enable-tls-1-3-nginx-ubuntu-18-10-18-04-16-04-14-04