Want more timely Centmin Mod News Updates?
Become a Member

Security Changes coming to TLS (TLS v1.3)

Discussion in 'All Internet & Web Performance News' started by eva2000, Apr 6, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    31,635
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,632
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    RedHat's two part look into upcoming TLS changes for TLS v1.3 including performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption and improved security and privacy.

     
    Last edited: Apr 6, 2017
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    31,635
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,632
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01's Nginx + OpenSSL 1.1 + TLS v1.3 progress :)
    Not quite there yet as Nginx has yet to add identification for TLS v1.3
    Code (Text):
    ./cipherscan https://domain.com
    .......
    Target: domain.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs                 curves  curves_ordering
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    3     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    4     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    5     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: unknown - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    
    TLS Tolerance: no
    Fallbacks required:
    big-SSLv3 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    
    Intolerance to:
     SSL 3.254           : absent
     TLS 1.0             : absent
     TLS 1.1             : absent
     TLS 1.2             : absent
     TLS 1.3             : absent
     TLS 1.4             : absent

    Test against OpenSSL 1.1 dev TLS v1.3 enabled binary works
    Code (Text):
    echo -n | openssl s_client -connect domain.com:443 -CAfile /etc/ssl/certs/cacert.pem| sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = domain.com
    verify return:1
    DONE
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/CN=domain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    subject=/CN=domain.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    ---
    SSL handshake has read 3019 bytes and written 491 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS13-AES-128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256
        Extended master secret: no
    ---
    read R BLOCK

    take note
    Code (Text):
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256


    upload_2017-4-7_0-41-32.png

    upload_2017-4-7_0-43-23.png
     
    Last edited: Apr 7, 2017
  3. ahmed

    ahmed Member

    231
    17
    18
    Feb 21, 2017
    Ratings:
    +24
    Local Time:
    9:38 AM
    hello any progress on TLS 1.3?

    this is mine
    Code:
    nginx version: nginx/1.13.6
    built by gcc 6.3.1 20170216 (Red Hat 6.3.1-3) (GCC)
    built with OpenSSL 1.1.0f  25 May 2017
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.31 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0f --with-openssl-opt='enable-ec_nistp_64_gcc_128'
    [ahmedalshaarawy@test-instance ~]$
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    31,635
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,632
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    none yet waiting on openssl official TLS v1.3 support :)
     
  5. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    8:38 AM
    I'm sorry to say but put it out of your mind for the short term.

    Please don't expect TLS 1.3 in the very near future.
    There are to much hardware problems with TLS 1.3 which need to be resolved first.

    It is not advisable to use TLS 1.3 already, other than test sites.

     
    • Agree Agree x 2
    • Informative Informative x 1