/ Register

Join the community today
Register Now

Nginx Ding dong! - TLSv1.3 support in Nginx master branch

Discussion in 'Nginx and PHP-FPM news & discussions' started by bassie, Apr 19, 2017.

Tags:
Previous Thread Next Thread
Loading...
Page 1 of 2
  1. Apr 19, 2017 #1
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    Nginx Support for the TLSv1.3 protocol.
    As Master is relative close to stable (only a few days and a few commits).
    Happy testing!

    Commits · nginx/nginx · GitHub
     
    • Informative Informative x 2
    • Like Like x 1
  2. Apr 19, 2017 #2
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    woohoo.. getting closer !
     
  3. Apr 19, 2017 #3
    Revenge

    Revenge Active Member

    408
    85
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +302
    Local Time:
    5:53 AM
    1.9.x
    10.1.x
    So, next version of Openssl and next version of Nginx. Browsers already support it?
     
  4. Apr 19, 2017 #4
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    Yes and no.

    It is all about developers software. I.e. for @eva2000 to prepair his software for the upcomping new changes and features.

    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 18 branch: YES
    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 19: NO
    As all current browsers are on draft 18, including their beta channels.

    I'll try a few things when I have some time.
    Nginx nginx-1.12.0 stable with TLSv1.3 patches and OpenSSL 1.1.1 dev with draft 18 branch.
    I'm curious ;)
     
    Last edited: Apr 19, 2017
  5. Apr 20, 2017 #5
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    The picture says it all.......
    [​IMG]
    [​IMG]
     
    • Like Like x 1
    • Informative Informative x 1
  6. Apr 21, 2017 #6
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    Working great so far.
    Test as being the end-user surfing on websites with Chrome and Firefox stable.
     
    • Like Like x 1
  7. Apr 21, 2017 #7
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Good to know ! :cool:
     
  8. Apr 21, 2017 #8
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    Lets go to final TLS 1.3 :)
    20 drafts (0-19) and counting is quite much.
    Quality beyond quantity but most standards require a draft or 10 before they become final.
    So a long ride.
     
    • Agree Agree x 1
  9. Apr 21, 2017 #9
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    After working on Centmin Mod development for so long and having to balance the stages of development from alpha, beta to rc and final quality and production ready code, I can't imagine how much testing and work goes into rolling out a entire protocol like TLS 1.3 to the masses !
     
    • Like Like x 1
  10. Apr 21, 2017 #10
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    1.13.0 due in 5 days has TLS 1.3 Roadmap – nginx
     
    • Informative Informative x 1
  11. Apr 21, 2017 #11
    pamamolf

    pamamolf Well-Known Member

    3,113
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    7:53 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if it has a fallback as Safari may get a related update after a few years :)
     
  12. Apr 21, 2017 #12
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    like TLS 1.2, TLS 1.3 just falls back if not supported
     
    • Informative Informative x 1
  13. Apr 21, 2017 #13
    pamamolf

    pamamolf Well-Known Member

    3,113
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    7:53 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    So we must use openssl only for it?
     
  14. Apr 21, 2017 #14
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  15. Apr 21, 2017 #15
    pamamolf

    pamamolf Well-Known Member

    3,113
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    7:53 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok :)

    Just didn't know if Libressl supports or plan to support soon TLS 1.3
     
  16. Apr 21, 2017 #16
    bassie

    bassie Active Member

    939
    220
    43
    Apr 29, 2016
    Ratings:
    +664
    Local Time:
    6:53 AM
    Sorry but not going to happen in the near feature.
    As LibreSSL is based on OpenSSL 1.0.1 (first release March 14, 2012).
    And 3 versions behind upstream OpenSSL, apparently for a reason and purpose.
    I.e. just like LibreSSL won't support TLS 1.3, LibreSSL doesn't have support for multiple certificate chains.

    LibreSSL is mostly similar to:
    as written by Maxim Dounin.
     
    • Informative Informative x 1
  17. Apr 22, 2017 #17
    pamamolf

    pamamolf Well-Known Member

    3,113
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    7:53 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    So you recommend me to use openSSL ?

    Code:
    LIBRESSL_SWITCH='n'
    Also if i don't use OPENSSL_VERSION= and i always update the Centminmod before upgrades of Nginx then i should get the latest version anyway as George update it as default ?

    Also reading around on the net it seems more secure than Opensssl .....

    So is it like .. more secure but with no new tricks? :)
     
    Last edited: Apr 22, 2017
  18. Apr 22, 2017 #18
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes but it's latest OpenSSL 1.0.2 branch version not OpenSSL 1.1.x so if you want OpenSSL 1.1.x latest you set OPENSSL_VERSION in persistent config file

    yeah security vs performance vs features https://community.centminmod.com/th...-0e-vs-libressl-2-4-5-2-5-1-benchmarks.10463/

     
    • Informative Informative x 1
  19. Apr 22, 2017 #19
    pamamolf

    pamamolf Well-Known Member

    3,113
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    7:53 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    As it can automatically fall back to 1.0x if Lua is detected as enabled why not set as default the new 1.1.x ? :)
     
  20. Apr 22, 2017 #20
    eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    2:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yeah that's the eventual plan :)
     
    • Like Like x 1
Previous Thread Next Thread
Loading...
Page 1 of 2
..

.