Learn about Centmin Mod LEMP Stack today
Become a Member

Security WebPerf Akamai Sponsors OpenSSL TLS 1.3 Development

Discussion in 'All Internet & Web Performance News' started by eva2000, Mar 24, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Akamai is sponsoring OpenSSL TLS 1.3 development with first OpenSSL TLS 1.3 release coming much earlier than I expected on April 5, 2017 with OpenSSL 1.1.0 branch (instead of talked about OpenSSL 1.1.1 branch). Full details https://blogs.akamai.com/2017/01/tls-13-ftw.html. Centmin Mod 123.09beta01 branch supports OpenSSL 1.1 branch so that means once OpenSSL 1.1.0 with TLS 1.3 is released, Centmin Mod Nginx HTTP/2 based HTTPS sites will also have TLS 1.3 support :D

    More info on TLS 1.3 at https://community.centminmod.com/th...-by-the-cloudflare-crypto-team-at-33c3.10329/


     
    Last edited: Mar 24, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01's Nginx 1.11.10 + OpenSSL 1.1.0e as per https://centminmod.com/nginx.html#http2

    set in persistent config file /etc/centminmod/custom_config.inc prior to Nginx recompiles using centmin.sh menu option 4
    Code (Text):
    LIBRESSL_SWITCH='n' # and set override LibreSSL defaults
    OPENSSL_VERSION='1.1.0e' # override default 1.0.2k
    

     
    Last edited: Mar 24, 2017
  3. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    10:13 PM
    So this would allow a full 1.3 connection if using CloudFlare currently right? They have the 1.3 Beta that allows a 1.3 connect from the client to CloudFlare but it is currently downgraded to 1.2 from CloudFlare to our datacenter? Is that a correct way to look at it?
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    AFAIK, Cloudflare will talk to your origin backend server in HTTP 1.1 protocol even for HTTPS full strict setups. Only Client to Cloudflare end is communicated in HTTP/2 HTTPS TLS 1.0, 1.1, 1.2 and 1.3.
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    10:13 PM
    I am confused then: What do the SSL options mean?

    That leads me to believe that the entire process is encrypted but with just http 1.1 slower encryption I guess?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    HTTPS can be over faster HTTP/2 or slower HTTP 1.1.

    So yes if you use Cloudflare SSL Full or Strict certificate setups, Cloudflare talks to client's origin backend servers via slower HTTP 1.1 based HTTPS
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ~4-5 days to go for TLS 1.3 supported OpenSSL 1.1.0 release I hope :D
     
  8. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM
    Sorry to say but don't expect too much.
    The TLSv1.3 core is supported starting at OpenSSL 1.1.1.
    But as TLSv1.3 is a de-facto standard and not a standard yet.

    It will not work with any browser you could name, as the common browsers (even beta) with TLSv1.3 support are on draft-18 and OpenSSL 1.1.1. (atm master branch) is on draft-19.

     
    Last edited: Apr 1, 2017
  9. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM
    For anyone who wants to test TLS 1.3 with Nginx.
    GitHub - openssl/openssl at tls1.3-draft-18
     
  11. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM
    In the best case if all browsers would support TLSv1.3 draft 19 support by 5 April.
    (Won't happen but if)
    Nginx plus OpenSSL 1.1.1. (TLSv1.3) also won't work. Nginx is not yet ready.

     
    Last edited: Apr 1, 2017
  12. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Darn so it will be some time then at least developments are happening sooner rather than later :)
     
  13. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM
    Looking at the past with OpenSSL 1.1.0.
    The Nginx developers stopped integrating OpenSSL 1.1.0. dev at some point because it was API breaking (despite earlier announcements). And start over with the OpenSSL 1.1.0 final version.

    As TLSv1.3 is still draft, a lot can happen (see for example draft 18 > draft 19).

    To much useless time to spend for the Nginx developers if the draft is changing again and again. I expect Nginx TLSv1.3 support after it is the final standard, at the earliest.
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah Nginx has voiced that before when OpenSSL 1.1.0 was in development - ever changing code so waited till final release :)
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Bit of playtime with draft 18 TLSv1.3 :D

    Code (Text):
    openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
              0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
              0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
              0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
              0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
              0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
     
  16. ahmed

    ahmed Active Member

    361
    49
    28
    Feb 21, 2017
    Ratings:
    +63
    Local Time:
    5:13 AM
    so i put openssl on nginx compilation and updated nginx to 1.13

    TLS 1.3 shall be on by default?
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no no TLS v1.3 isn't available in production on OpenSSL 1.1.0 branch yet it's still in developmental branches at OpenSSL so I am only testing it privately myself.

    this thread is just discussing and tracking TLS v1.3's progress and eventual release :)
     
  18. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM
    Nice!
    OpenSSL git branch tlsv1.3-draft-18 with Nginx-1.11.13?

    OpenSSL will deliver TLS 1.3 on April 5.
    Thats today! Juuuuuuh.

    They have previously indicated that it is a work in progress. For developers to start with TLS 1.3.

    Wonder what they're going to deliver today.
    Official release, branch release on Github or something else.

    It only seems obvious that TLSv1.3 draft 19 is included.
    @eva2000 et al. What do you think?
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,152
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    1:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    who knows.. right now 1.11.13 + openssl 1.1.0 with TLSv1.3 draft 18 doesn't compile cleanly as you said, Nginx side hasn't and probably won't look at it until final spec is determined.
    Code (Text):
    cd ../openssl-tls1.3 \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/svr-setup/nginx-1.11.13/../openssl-tls1.3/.openssl no-shared  \
    && make \
    && make install_sw LIBDIR=lib
    Operating system: x86_64-whatever-linux2
    Global symbol "$chapoly_obj" requires explicit package name at ./Configure line 1302.
    Global symbol "$cflags" requires explicit package name at ./Configure line 1304.
    BEGIN not safe after errors--compilation aborted at ./Configure line 1343.
    Global symbol "$chapoly_obj" requires explicit package name at ./Configure line 1302.
    Global symbol "$cflags" requires explicit package name at ./Configure line 1304.
    BEGIN not safe after errors--compilation aborted at ./Configure line 1343.
    This system (linux-x86_64) is not supported. See file INSTALL for details.
    make[1]: *** [../openssl-tls1.3/.openssl/include/openssl/ssl.h] Error 1
    make[1]: Leaving directory `/svr-setup/nginx-1.11.13'
    make: *** [build] Error 2
     
  20. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    5:13 AM