Welcome to Centmin Mod Community
Become a Member

SSL Google Chrome 81 deprecates TLS 1.0 and TLS 1.1 protocols in favour of TLS 1.2 & TLS 1.3.

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 17, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:28 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Google plans to deprecate HTTPS usage of TLS 1.0 and TLS 1.1 protocols in favour of TLS 1.2 and TLS 1.3 in Chrome 81 and starting in Chrome 79 on January 13, 2020 will start showing HTTPS sites using TLS 1.0 and TLS 1.1 protocols as not secure. Mozilla also announced their Firefox deprecation of TLS 1.0 and TLS 1.1 by March, 2020 - as will Apple and Microsoft's products. So we have around 5 more months to go.

    Centmin Mod Nginx HTTPS users can read up on TLS 1.3 at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support.
    Currently, Centmin Mod 123.09beta01 configures the HTTPS SSL protocols used via a Nginx include file at /usr/local/nginx/conf/ssl_include.conf placed in each generated Nginx vhost config file at /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf.

    The base template for /usr/local/nginx/conf/ssl_include.conf include file is
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    

    which then gets dynamically configured for TLSv1.3 if the detected Nginx crypto library it is built against (OpenSSL, LibreSSL, BoringSSL, BoringSSL/Quiche) has TLSv1.3 support. OpenSSL 1.1.1+ and BoringSSL are only ones supporting TLSv1.3 right now.

    Centmin Mod 123.09beta01 Nginx defaults to being built against OpenSSL 1.1.1 so TLSv1.3 support would mean include file /usr/local/nginx/conf/ssl_include.conf automatically gets changed to the following on centmin.sh menu option 4 runs when upgrading/downgrading or recompiling Nginx server.
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    

    Now the question is when should Centmin Mod 123.09beta01 and newer start defaulting to removing TLSv1 (TLS 1.0) and TLSv1.1 (TLS 1.1) from the default install templates so they just become. Apple, Google, Microsoft and Mozilla will all deprecate TLS 1.0 and TLS 1.1 by 2020 next year it seems.
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1.2 TLSv1.3;
    


    You can actually configure custom Nginx logging if you are behind or not behind Cloudflare as outlined at Cloudflare - Cloudflare custom Nginx logging to get your profile of SSL protocol usage to see what you are serving to visitors.

    Example for one of my sites behind Cloudflare I am serving to CF edge the following since CF edge supports TLS 1.3 communication to Centmin Mod Nginx origin backends when using Cloudflare Full or Full Strict SSL. But not all clients/browsers support TLSv1.3 so you can see TLSv1.2 usage too i.e. Cloudflare Railgun which I use is over TLSv1.2 as well.
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    299277  TLSv1.3  TLS_AES_256_GCM_SHA384
    192104  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    77871   TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    58      -        -
    39      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    6       TLSv1    ECDHE-ECDSA-AES128-SHA
    3       TLSv1.1  ECDHE-ECDSA-AES128-SHA
    

    If you weren't behind Cloudflare or a reverse proxy like Incapsula or Sucuri WAF proxy, then the stats logged would be for direct visitors you serve.

    Cloudflare has TLS minimum version setting for users which defaults to TLS 1.0, though I set it to TLS 1.2 minimum myself which is recommended.

    cloudflare-tls.png


    With that said I am thinking Centmin Mod should be end of December 2019, set TLSv1.2 as minimum SSL protocol to use in it's include file. What do folks think ? The argument is some sites have visitors using older browser clients which don't support TLSv1.2 but then they will be very old according to stats at Can I use... Support tables for HTML5, CSS3, etc and Can I use... Support tables for HTML5, CSS3, etc

    caniuse-tls12.png caniuse-tls13.png
     
  2. rdan

    rdan Well-Known Member

    4,715
    1,138
    113
    May 25, 2014
    Ratings:
    +1,693
    Local Time:
    2:28 AM
    Mainline
    10.2
    I still have lot's of TLS 1.0-1.1 users :(
    upload_2019-10-17_17-53-19.png
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:28 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Use Google Analytics to break down traffic by browser and usage (session time) to see if those are real users of crawler/bots etc :) Centmin Mod Premium users have access to private premium members forum which also has a sticky thread for custom Google Analytics Dashboards to break down browser traffic too.

    Example below of Premium member's Google Analytics custom dashboard available

    ga-browser-breakdown-171019-02.png

    ga-browser-breakdown-171019-03.png

    and

    ga-browser-breakdown-171019-01.png ga-browser-breakdown-171019-04.png
     
    • Like Like x 1
  4. rdan

    rdan Well-Known Member

    4,715
    1,138
    113
    May 25, 2014
    Ratings:
    +1,693
    Local Time:
    2:28 AM
    Mainline
    10.2
    I think we are fine as long as 1.2 and 1.3 are enabled?
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:28 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yes modern HTTPS recommends TLSv1.2 and TLSv1.3 which is what I enabled for this forum via Cloudflare TLS protocol settings :)