Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Ding dong! - TLSv1.3 support in Nginx master branch

Discussion in 'Nginx and PHP-FPM news & discussions' started by bassie, Apr 19, 2017.

  1. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    Nginx Support for the TLSv1.3 protocol.
    As Master is relative close to stable (only a few days and a few commits).
    Happy testing!

    Commits · nginx/nginx · GitHub
     
    • Informative Informative x 2
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    woohoo.. getting closer !
     
  3. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    5:48 PM
    1.9.x
    10.1.x
    So, next version of Openssl and next version of Nginx. Browsers already support it?
     
  4. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    Yes and no.

    It is all about developers software. I.e. for @eva2000 to prepair his software for the upcomping new changes and features.

    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 18 branch: YES
    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 19: NO
    As all current browsers are on draft 18, including their beta channels.

    I'll try a few things when I have some time.
    Nginx nginx-1.12.0 stable with TLSv1.3 patches and OpenSSL 1.1.1 dev with draft 18 branch.
    I'm curious ;)
     
    Last edited: Apr 19, 2017
  5. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    The picture says it all.......
    [​IMG]
    [​IMG]
     
    • Like Like x 1
    • Informative Informative x 1
  6. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    Working great so far.
    Test as being the end-user surfing on websites with Chrome and Firefox stable.
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    Good to know ! :cool:
     
  8. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    Lets go to final TLS 1.3 :)
    20 drafts (0-19) and counting is quite much.
    Quality beyond quantity but most standards require a draft or 10 before they become final.
    So a long ride.
     
    • Agree Agree x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    After working on Centmin Mod development for so long and having to balance the stages of development from alpha, beta to rc and final quality and production ready code, I can't imagine how much testing and work goes into rolling out a entire protocol like TLS 1.3 to the masses !
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    1.13.0 due in 5 days has TLS 1.3 Roadmap – nginx
     
    • Informative Informative x 1
  11. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    7:48 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if it has a fallback as Safari may get a related update after a few years :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    like TLS 1.2, TLS 1.3 just falls back if not supported
     
    • Informative Informative x 1
  13. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    7:48 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    So we must use openssl only for it?
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
  15. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    7:48 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok :)

    Just didn't know if Libressl supports or plan to support soon TLS 1.3
     
  16. bassie

    bassie Active Member

    542
    116
    43
    Apr 29, 2016
    Ratings:
    +354
    Local Time:
    6:48 PM
    Sorry but not going to happen in the near feature.
    As LibreSSL is based on OpenSSL 1.0.1 (first release March 14, 2012).
    And 3 versions behind upstream OpenSSL, apparently for a reason and purpose.
    I.e. just like LibreSSL won't support TLS 1.3, LibreSSL doesn't have support for multiple certificate chains.

    LibreSSL is mostly similar to:
    as written by Maxim Dounin.
     
    • Informative Informative x 1
  17. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    7:48 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    So you recommend me to use openSSL ?

    Code:
    LIBRESSL_SWITCH='n'
    Also if i don't use OPENSSL_VERSION= and i always update the Centminmod before upgrades of Nginx then i should get the latest version anyway as George update it as default ?

    Also reading around on the net it seems more secure than Opensssl .....

    So is it like .. more secure but with no new tricks? :)
     
    Last edited: Apr 22, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes but it's latest OpenSSL 1.0.2 branch version not OpenSSL 1.1.x so if you want OpenSSL 1.1.x latest you set OPENSSL_VERSION in persistent config file

    yeah security vs performance vs features https://community.centminmod.com/th...-0e-vs-libressl-2-4-5-2-5-1-benchmarks.10463/

     
    • Informative Informative x 1
  19. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    7:48 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    As it can automatically fall back to 1.0x if Lua is detected as enabled why not set as default the new 1.1.x ? :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,561
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    3:48 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah that's the eventual plan :)
     
    • Like Like x 1