Discover Centmin Mod today
Register Now

Security WebPerf Akamai Sponsors OpenSSL TLS 1.3 Development

Discussion in 'All Internet & Web Performance News' started by eva2000, Mar 24, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    Akamai is sponsoring OpenSSL TLS 1.3 development with first OpenSSL TLS 1.3 release coming much earlier than I expected on April 5, 2017 with OpenSSL 1.1.0 branch (instead of talked about OpenSSL 1.1.1 branch). Full details https://blogs.akamai.com/2017/01/tls-13-ftw.html. Centmin Mod 123.09beta01 branch supports OpenSSL 1.1 branch so that means once OpenSSL 1.1.0 with TLS 1.3 is released, Centmin Mod Nginx HTTP/2 based HTTPS sites will also have TLS 1.3 support :D

    More info on TLS 1.3 at https://community.centminmod.com/th...-by-the-cloudflare-crypto-team-at-33c3.10329/

     
    Last edited: Mar 24, 2017
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01's Nginx 1.11.10 + OpenSSL 1.1.0e as per https://centminmod.com/nginx.html#http2

    set in persistent config file /etc/centminmod/custom_config.inc prior to Nginx recompiles using centmin.sh menu option 4
    Code (Text):
    LIBRESSL_SWITCH='n' # and set override LibreSSL defaults
    OPENSSL_VERSION='1.1.0e' # override default 1.0.2k
    

     
    Last edited: Mar 24, 2017
    • Informative Informative x 1
  3. BamaStangGuy

    BamaStangGuy Active Member

    470
    137
    43
    May 25, 2014
    Ratings:
    +180
    Local Time:
    2:46 AM
    So this would allow a full 1.3 connection if using CloudFlare currently right? They have the 1.3 Beta that allows a 1.3 connect from the client to CloudFlare but it is currently downgraded to 1.2 from CloudFlare to our datacenter? Is that a correct way to look at it?
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    AFAIK, Cloudflare will talk to your origin backend server in HTTP 1.1 protocol even for HTTPS full strict setups. Only Client to Cloudflare end is communicated in HTTP/2 HTTPS TLS 1.0, 1.1, 1.2 and 1.3.
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    470
    137
    43
    May 25, 2014
    Ratings:
    +180
    Local Time:
    2:46 AM
    I am confused then: What do the SSL options mean?

    That leads me to believe that the entire process is encrypted but with just http 1.1 slower encryption I guess?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    HTTPS can be over faster HTTP/2 or slower HTTP 1.1.

    So yes if you use Cloudflare SSL Full or Strict certificate setups, Cloudflare talks to client's origin backend servers via slower HTTP 1.1 based HTTPS
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    ~4-5 days to go for TLS 1.3 supported OpenSSL 1.1.0 release I hope :D
     
    • Informative Informative x 1
  8. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM
    Sorry to say but don't expect too much.
    The TLSv1.3 core is supported starting at OpenSSL 1.1.1.
    But as TLSv1.3 is a de-facto standard and not a standard yet.

    It will not work with any browser you could name, as the common browsers (even beta) with TLSv1.3 support are on draft-18 and OpenSSL 1.1.1. (atm master branch) is on draft-19.

     
    Last edited: Apr 1, 2017
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
  10. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM
    For anyone who wants to test TLS 1.3 with Nginx.
    GitHub - openssl/openssl at tls1.3-draft-18
     
    • Agree Agree x 1
  11. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM
    In the best case if all browsers would support TLSv1.3 draft 19 support by 5 April.
    (Won't happen but if)
    Nginx plus OpenSSL 1.1.1. (TLSv1.3) also won't work. Nginx is not yet ready.

     
    Last edited: Apr 1, 2017
    • Informative Informative x 1
  12. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    Darn so it will be some time then at least developments are happening sooner rather than later :)
     
  13. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM
    Looking at the past with OpenSSL 1.1.0.
    The Nginx developers stopped integrating OpenSSL 1.1.0. dev at some point because it was API breaking (despite earlier announcements). And start over with the OpenSSL 1.1.0 final version.

    As TLSv1.3 is still draft, a lot can happen (see for example draft 18 > draft 19).

    To much useless time to spend for the Nginx developers if the draft is changing again and again. I expect Nginx TLSv1.3 support after it is the final standard, at the earliest.
     
    • Agree Agree x 1
  14. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah Nginx has voiced that before when OpenSSL 1.1.0 was in development - ever changing code so waited till final release :)
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    Bit of playtime with draft 18 TLSv1.3 :D

    Code (Text):
    openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
              0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
              0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
              0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
              0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
              0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
     
    • Informative Informative x 1
  16. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    9:46 AM
    so i put openssl on nginx compilation and updated nginx to 1.13

    TLS 1.3 shall be on by default?
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    no no TLS v1.3 isn't available in production on OpenSSL 1.1.0 branch yet it's still in developmental branches at OpenSSL so I am only testing it privately myself.

    this thread is just discussing and tracking TLS v1.3's progress and eventual release :)
     
  18. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM
    Nice!
    OpenSSL git branch tlsv1.3-draft-18 with Nginx-1.11.13?

    OpenSSL will deliver TLS 1.3 on April 5.
    Thats today! Juuuuuuh.

    They have previously indicated that it is a work in progress. For developers to start with TLS 1.3.

    Wonder what they're going to deliver today.
    Official release, branch release on Github or something else.

    It only seems obvious that TLSv1.3 draft 19 is included.
    @eva2000 et al. What do you think?
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:46 PM
    Nginx 1.13.x
    MariaDB 5.5
    who knows.. right now 1.11.13 + openssl 1.1.0 with TLSv1.3 draft 18 doesn't compile cleanly as you said, Nginx side hasn't and probably won't look at it until final spec is determined.
    Code (Text):
    cd ../openssl-tls1.3 \
    && if [ -f Makefile ]; then make clean; fi \
    && ./config --prefix=/svr-setup/nginx-1.11.13/../openssl-tls1.3/.openssl no-shared  \
    && make \
    && make install_sw LIBDIR=lib
    Operating system: x86_64-whatever-linux2
    Global symbol "$chapoly_obj" requires explicit package name at ./Configure line 1302.
    Global symbol "$cflags" requires explicit package name at ./Configure line 1304.
    BEGIN not safe after errors--compilation aborted at ./Configure line 1343.
    Global symbol "$chapoly_obj" requires explicit package name at ./Configure line 1302.
    Global symbol "$cflags" requires explicit package name at ./Configure line 1304.
    BEGIN not safe after errors--compilation aborted at ./Configure line 1343.
    This system (linux-x86_64) is not supported. See file INSTALL for details.
    make[1]: *** [../openssl-tls1.3/.openssl/include/openssl/ssl.h] Error 1
    make[1]: Leaving directory `/svr-setup/nginx-1.11.13'
    make: *** [build] Error 2
     
  20. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    9:46 AM