Want to subscribe to topics you're interested in?
Become a Member

Security WebPerf Akamai Sponsors OpenSSL TLS 1.3 Development

Discussion in 'All Internet & Web Performance News' started by eva2000, Mar 24, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Oh I installed OpenSSL 1.1 TLS 1.3 draft 18 and it's binary ok just not for Nginx yet :)

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nginx + OpenSSL 1.1 + TLS v1.3 progress :)
    Not quite there yet as Nginx has yet to add identification for TLS v1.3
    Code (Text):
    ./cipherscan https://domain.com
    .......
    Target: domain.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs                 curves  curves_ordering
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    3     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    4     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    5     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: unknown - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    
    TLS Tolerance: no
    Fallbacks required:
    big-SSLv3 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    
    Intolerance to:
     SSL 3.254           : absent
     TLS 1.0             : absent
     TLS 1.1             : absent
     TLS 1.2             : absent
     TLS 1.3             : absent
     TLS 1.4             : absent

    Test against OpenSSL 1.1 dev TLS v1.3 enabled binary works
    Code (Text):
    echo -n | openssl s_client -connect domain.com:443 -CAfile /etc/ssl/certs/cacert.pem| sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = domain.com
    verify return:1
    DONE
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/CN=domain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    subject=/CN=domain.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    ---
    SSL handshake has read 3019 bytes and written 491 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS13-AES-128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256
        Extended master secret: no
    ---
    read R BLOCK

    take note
    Code (Text):
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256


    upload_2017-4-7_0-41-32.png

    upload_2017-4-7_0-43-23.png
     
    Last edited: Apr 7, 2017
  3. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    Still using OpenSSL 1.1.1 dev with TLSv1.3 draft 18?

    About your screenshot.
    Because nginx doesn't know about TLSv1.3, which Chrome are you using as it is identified as TLSv1.3 connection?
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah TLS v1.3 draft 18 + Google Canary (Version 59.0.3064.0 (Official Build) canary (64-bit)) :)
     
  5. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    April 5th is over, no announcement, statement or release from the OpenSSL team about TLS v1.3. @eva2000 Any news?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    Unfortunately remains an age-old problem.
    Most programmers, ITers or whatever you want to call them and communication.
    No happy marriage.:)
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    hehe https://mta.openssl.org/pipermail/openssl-dev/2017-April/009300.html
    as already mentioned in this thread too, at [openssl-dev] ETA: TLS 1.3 release

     
  9. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    Apart from the content.
    A bit silly that the same person writes both blogs in the name of his employer and the OpenSSL project. When you ask for problems you get problems.
    Logical and clear.
     
    Last edited: Apr 26, 2017
  10. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    The Transport Layer Security (TLS) Protocol Version 1.3
    draft-ietf-tls-tls13-21 is released. Hopefully an final (release) internet standard soon.
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:05 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Awesome news.. thanks for the heads up so were's on TLS v1.3 draft-21 now but browsers are still on TLS v1.3 draft-18 ?
     
  12. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    1:05 AM
    Jup, think draft 18 was the one for a while as almost everybody has it: BoringSSL, OpenSSL, Chrome, Firefox, Opera etc.

    They are now waiting for it to be an final standard. I think. Costing too much money to implement draft after draft every time with a new released draft, and then you already know that you can start over again next month.