/ Register

Want to subscribe to topics you're interested in?
Become a Member

Nginx Ding dong! - TLSv1.3 support in Nginx master branch

Discussion in 'Nginx and PHP-FPM news & discussions' started by bassie, Apr 19, 2017.

Tags:
Previous Thread Next Thread
Loading...
Page 1 of 2
  1. Apr 19, 2017 #1
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    Nginx Support for the TLSv1.3 protocol.
    As Master is relative close to stable (only a few days and a few commits).
    Happy testing!

    Commits · nginx/nginx · GitHub
     
    • Informative Informative x 2
    • Like Like x 1
  2. Apr 19, 2017 #2
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    woohoo.. getting closer !
     
  3. Apr 19, 2017 #3
    Revenge

    Revenge Active Member

    383
    80
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +287
    Local Time:
    11:40 PM
    1.9.x
    10.1.x
    So, next version of Openssl and next version of Nginx. Browsers already support it?
     
  4. Apr 19, 2017 #4
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    Yes and no.

    It is all about developers software. I.e. for @eva2000 to prepair his software for the upcomping new changes and features.

    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 18 branch: YES
    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 19: NO
    As all current browsers are on draft 18, including their beta channels.

    I'll try a few things when I have some time.
    Nginx nginx-1.12.0 stable with TLSv1.3 patches and OpenSSL 1.1.1 dev with draft 18 branch.
    I'm curious ;)
     
    Last edited: Apr 19, 2017
  5. Apr 20, 2017 #5
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    The picture says it all.......
    [​IMG]
    [​IMG]
     
    • Like Like x 1
    • Informative Informative x 1
  6. Apr 21, 2017 #6
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    Working great so far.
    Test as being the end-user surfing on websites with Chrome and Firefox stable.
     
    • Like Like x 1
  7. Apr 21, 2017 #7
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    Good to know ! :cool:
     
  8. Apr 21, 2017 #8
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    Lets go to final TLS 1.3 :)
    20 drafts (0-19) and counting is quite much.
    Quality beyond quantity but most standards require a draft or 10 before they become final.
    So a long ride.
     
    • Agree Agree x 1
  9. Apr 21, 2017 #9
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    After working on Centmin Mod development for so long and having to balance the stages of development from alpha, beta to rc and final quality and production ready code, I can't imagine how much testing and work goes into rolling out a entire protocol like TLS 1.3 to the masses !
     
    • Like Like x 1
  10. Apr 21, 2017 #10
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    1.13.0 due in 5 days has TLS 1.3 Roadmap – nginx
     
    • Informative Informative x 1
  11. Apr 21, 2017 #11
    pamamolf

    pamamolf Well-Known Member

    3,080
    293
    83
    May 31, 2014
    Ratings:
    +525
    Local Time:
    1:40 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if it has a fallback as Safari may get a related update after a few years :)
     
  12. Apr 21, 2017 #12
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    like TLS 1.2, TLS 1.3 just falls back if not supported
     
    • Informative Informative x 1
  13. Apr 21, 2017 #13
    pamamolf

    pamamolf Well-Known Member

    3,080
    293
    83
    May 31, 2014
    Ratings:
    +525
    Local Time:
    1:40 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    So we must use openssl only for it?
     
  14. Apr 21, 2017 #14
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
  15. Apr 21, 2017 #15
    pamamolf

    pamamolf Well-Known Member

    3,080
    293
    83
    May 31, 2014
    Ratings:
    +525
    Local Time:
    1:40 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok :)

    Just didn't know if Libressl supports or plan to support soon TLS 1.3
     
  16. Apr 21, 2017 #16
    bassie

    bassie Active Member

    808
    190
    43
    Apr 29, 2016
    Ratings:
    +572
    Local Time:
    12:40 AM
    Sorry but not going to happen in the near feature.
    As LibreSSL is based on OpenSSL 1.0.1 (first release March 14, 2012).
    And 3 versions behind upstream OpenSSL, apparently for a reason and purpose.
    I.e. just like LibreSSL won't support TLS 1.3, LibreSSL doesn't have support for multiple certificate chains.

    LibreSSL is mostly similar to:
    as written by Maxim Dounin.
     
    • Informative Informative x 1
  17. Apr 22, 2017 #17
    pamamolf

    pamamolf Well-Known Member

    3,080
    293
    83
    May 31, 2014
    Ratings:
    +525
    Local Time:
    1:40 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    So you recommend me to use openSSL ?

    Code:
    LIBRESSL_SWITCH='n'
    Also if i don't use OPENSSL_VERSION= and i always update the Centminmod before upgrades of Nginx then i should get the latest version anyway as George update it as default ?

    Also reading around on the net it seems more secure than Opensssl .....

    So is it like .. more secure but with no new tricks? :)
     
    Last edited: Apr 22, 2017
  18. Apr 22, 2017 #18
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes but it's latest OpenSSL 1.0.2 branch version not OpenSSL 1.1.x so if you want OpenSSL 1.1.x latest you set OPENSSL_VERSION in persistent config file

    yeah security vs performance vs features https://community.centminmod.com/th...-0e-vs-libressl-2-4-5-2-5-1-benchmarks.10463/

     
    • Informative Informative x 1
  19. Apr 22, 2017 #19
    pamamolf

    pamamolf Well-Known Member

    3,080
    293
    83
    May 31, 2014
    Ratings:
    +525
    Local Time:
    1:40 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    As it can automatically fall back to 1.0x if Lua is detected as enabled why not set as default the new 1.1.x ? :)
     
  20. Apr 22, 2017 #20
    eva2000

    eva2000 Administrator Staff Member

    33,762
    7,469
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,482
    Local Time:
    8:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah that's the eventual plan :)
     
    • Like Like x 1
Previous Thread Next Thread
Loading...
Page 1 of 2
..

.