Learn about Centmin Mod LEMP Stack today
Register Now

Security Changes coming to TLS (TLS v1.3)

Discussion in 'All Internet & Web Performance News' started by eva2000, Apr 6, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    29,051
    6,591
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,786
    Local Time:
    9:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    RedHat's two part look into upcoming TLS changes for TLS v1.3 including performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption and improved security and privacy.

     
    Last edited: Apr 6, 2017
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    29,051
    6,591
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,786
    Local Time:
    9:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01's Nginx + OpenSSL 1.1 + TLS v1.3 progress :)
    Not quite there yet as Nginx has yet to add identification for TLS v1.3
    Code (Text):
    ./cipherscan https://domain.com
    .......
    Target: domain.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs                 curves  curves_ordering
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    3     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    4     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    5     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         h2,http/1.1  ECDH,P-256,256bits  server
    
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: unknown - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    
    TLS Tolerance: no
    Fallbacks required:
    big-SSLv3 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.3 TLS13-AES-128-GCM-SHA256
    
    Intolerance to:
     SSL 3.254           : absent
     TLS 1.0             : absent
     TLS 1.1             : absent
     TLS 1.2             : absent
     TLS 1.3             : absent
     TLS 1.4             : absent

    Test against OpenSSL 1.1 dev TLS v1.3 enabled binary works
    Code (Text):
    echo -n | openssl s_client -connect domain.com:443 -CAfile /etc/ssl/certs/cacert.pem| sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = domain.com
    verify return:1
    DONE
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/CN=domain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    subject=/CN=domain.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    ---
    SSL handshake has read 3019 bytes and written 491 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS13-AES-128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256
        Extended master secret: no
    ---
    read R BLOCK

    take note
    Code (Text):
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS13-AES-128-GCM-SHA256


    upload_2017-4-7_0-41-32.png

    upload_2017-4-7_0-43-23.png
     
    Last edited: Apr 7, 2017