Join the community today
Become a Member

Nginx Ding dong! - TLSv1.3 support in Nginx master branch

Discussion in 'Nginx and PHP-FPM news & discussions' started by bassie, Apr 19, 2017.

  1. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    Nginx Support for the TLSv1.3 protocol.
    As Master is relative close to stable (only a few days and a few commits).
    Happy testing!

    Commits · nginx/nginx · GitHub
     
    • Informative Informative x 2
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    woohoo.. getting closer !
     
  3. Revenge

    Revenge Active Member

    426
    87
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +316
    Local Time:
    6:12 PM
    1.9.x
    10.1.x
    So, next version of Openssl and next version of Nginx. Browsers already support it?
     
  4. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    Yes and no.

    It is all about developers software. I.e. for @eva2000 to prepair his software for the upcomping new changes and features.

    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 18 branch: YES
    If you are using Nginx dev with OpenSSL 1.1.1 dev with draft 19: NO
    As all current browsers are on draft 18, including their beta channels.

    I'll try a few things when I have some time.
    Nginx nginx-1.12.0 stable with TLSv1.3 patches and OpenSSL 1.1.1 dev with draft 18 branch.
    I'm curious ;)
     
    Last edited: Apr 19, 2017
  5. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    The picture says it all.......
    [​IMG]
    [​IMG]
     
    • Like Like x 1
    • Informative Informative x 1
  6. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    Working great so far.
    Test as being the end-user surfing on websites with Chrome and Firefox stable.
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Good to know ! :cool:
     
  8. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    Lets go to final TLS 1.3 :)
    20 drafts (0-19) and counting is quite much.
    Quality beyond quantity but most standards require a draft or 10 before they become final.
    So a long ride.
     
    • Agree Agree x 1
  9. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    After working on Centmin Mod development for so long and having to balance the stages of development from alpha, beta to rc and final quality and production ready code, I can't imagine how much testing and work goes into rolling out a entire protocol like TLS 1.3 to the masses !
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    1.13.0 due in 5 days has TLS 1.3 Roadmap – nginx
     
    • Informative Informative x 1
  11. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +531
    Local Time:
    8:12 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering if it has a fallback as Safari may get a related update after a few years :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    like TLS 1.2, TLS 1.3 just falls back if not supported
     
    • Informative Informative x 1
  13. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +531
    Local Time:
    8:12 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    So we must use openssl only for it?
     
  14. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  15. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +531
    Local Time:
    8:12 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok :)

    Just didn't know if Libressl supports or plan to support soon TLS 1.3
     
  16. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    7:12 PM
    Sorry but not going to happen in the near feature.
    As LibreSSL is based on OpenSSL 1.0.1 (first release March 14, 2012).
    And 3 versions behind upstream OpenSSL, apparently for a reason and purpose.
    I.e. just like LibreSSL won't support TLS 1.3, LibreSSL doesn't have support for multiple certificate chains.

    LibreSSL is mostly similar to:
    as written by Maxim Dounin.
     
    • Informative Informative x 1
  17. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +531
    Local Time:
    8:12 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    So you recommend me to use openSSL ?

    Code:
    LIBRESSL_SWITCH='n'
    Also if i don't use OPENSSL_VERSION= and i always update the Centminmod before upgrades of Nginx then i should get the latest version anyway as George update it as default ?

    Also reading around on the net it seems more secure than Opensssl .....

    So is it like .. more secure but with no new tricks? :)
     
    Last edited: Apr 22, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes but it's latest OpenSSL 1.0.2 branch version not OpenSSL 1.1.x so if you want OpenSSL 1.1.x latest you set OPENSSL_VERSION in persistent config file

    yeah security vs performance vs features https://community.centminmod.com/th...-0e-vs-libressl-2-4-5-2-5-1-benchmarks.10463/

     
    • Informative Informative x 1
  19. pamamolf

    pamamolf Well-Known Member

    3,117
    295
    83
    May 31, 2014
    Ratings:
    +531
    Local Time:
    8:12 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    As it can automatically fall back to 1.0x if Lua is detected as enabled why not set as default the new 1.1.x ? :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    36,884
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    4:12 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yeah that's the eventual plan :)
     
    • Like Like x 1
..