TLS v1.3 is not working #2822
Description
With a from scratch docker installation of NPM v2.10.2, TLS v1.3 is not working when adding a proxy host with SSL (using let's encrypt, but that should not matter)
This can be verified by testing the website with ssllabs or openssl (openssl s_client -tls1_3 -connect website:443 - no certificate will be returned)
The reason is that the directive ssl_protocols TLSv1.2 TLSv1.3; in /etc/nginx/conf.d/ssl-ciphers.conf is included in a server {} block by the server host configuration (/data/nginx/proxy_host/*.conf)
This should work according to nginx documentation (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) but it doesn't
A workaround is to include this directive in the http {} block by adding ssl_protocols TLSv1.2 TLSv1.3; in /data/nginx/custom/http.conf
After reloading nginx configuration, TLS v1.3 is working
The bug seems to be in nginx but I'm unsure, release notes doesn't mention any bugfix like this and latest nginx has tls 1.3 enabled by default
I think NPM should include ssl-ciphers.conf in the http {} instead of each server {} as it fix the issue and I don't see any drawback of doing it (it looks like to simplify the configuration to put this ssl settings at an higher level)
It's also interresting to note that there is a ssl_prefer_server_ciphers off; directive in ssl-ciphers.conf and a ssl_prefer_server_ciphers on; directive in the http {} block of nginx.conf. The last one should be removed.