Learn about Centmin Mod LEMP Stack today
Register Now

OpenSSL OpenSSL 1.1.1 and Chrome 70 with TLS 1.3 RFC support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Oct 16, 2018.

  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    As Chrome 70 stable is around the corner.

    It seemed to me as a BoringSSL user a good idea to test Chrome 70 with TLS 1.3 RFC support and a Nginx based OpenSSL 1.1.1 with TLS 1.3 RFC, test site.

    The Chrome 70 default setting is TLS 1.3 Draft 23, Draft 28 and final enabled.
    Problem is that any test site is using TLS 1.2 unless chrome://flags TLS 1.3 is set from default (as seen above) to Enabled (Final).


    Chrome version is 70.0.3538.54
    OpenSSL 1.1.1 final
    Nginx 1.15.4 and 1.15.5

    Does anyone recognize this behavior?
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You using Chrome 70 beta ? Maybe Chrome 70 final will be different ?
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    As the release is today. It seems to me that nothing, little has changed.
    That is why I am looking for experiences from others?
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Is it today.. my Chrome 69 hasn't got any updates for 70 yet so not released yet for stable version.
     
  5. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    That is correct: Stable in 0 day ( Oct 16 )
    Chrome 70 should be released in the matter of hours.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    usually it's USA timezone which is still Oct 15th AFAIK.
     
  7. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    Yup but as Google has offices all over the US continent and the world.
    If 16 is the day without release blocker bugs. And looking at previous releases. Chrome 70 should be launched within 19 hours.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah. Will be good to see TLS 1.3 usage pick up :D Just need for some anti-virus/malware scanning software who inspect HTTPS traffic to get updated to support TLS 1.3 properly :)
     
  9. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    Could you test the latest Chrome Beta with your TLS 1.3 (test) site?
    Centminmod is using OpenSSL 1.1.1 with TLS 1.3 final.

    I am very curious about your results.
    tHANKS,
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    don't use chrome beta only chrome stable and chrome canary 71 :)
     
  11. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    You could use Chrome 70 portable if thats the problem.
    What about Chrome 71? Working fine with OpenSSL 1.1.1. tls 1.3 based sites out of the box?
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah Chrome Canary 71 working fine for Centmin Mod Nginx 1.15.5 + OpenSSL 1.1.1 TLS 1.3 or BoringSSL TLS 1.3 :)
     
  13. Mastergumble

    Mastergumble Member

    44
    8
    8
    Sep 29, 2016
    Ratings:
    +17
    Local Time:
    8:57 PM
    1.11.x
    10.x
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah but that references TLS 1.3 drafts as well as rfc final.
     
  15. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    4:57 AM
    Mainline
    10.2
    Google Chrome is up to date
    Version 70.0.3538.67 (Official Build) (64-bit)
     
  16. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    Chrome 70 released.

    I am curious about your test results.
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks good to me Centmin Mod Nginx 1.15.5 + OpenSSL 1.1.1 TLS 1.3 enabled

    chrome70-tls1.3-rfc-final-centminmod-nginx-1.15.5-openssl-1.1.1-01.png

    chrome70-ssllabs-tls1.3-01.png
     
  18. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    As Chrome 70 stable is released.

    It seemed to me as a BoringSSL user a good idea to test Chrome 70 with TLS 1.3 RFC support and a Nginx based OpenSSL 1.1.1 with TLS 1.3 RFC, test site.

    The Chrome 70 default setting is TLS 1.3 Draft 23, Draft 28 and final enabled.
    Test site used TLS 1.3 (Final) without changing changing anything.
    TLS settings are not touched.

    Conclusion.
    Site seems to be running fine.

    Chrome 70 final version is 70.0.3538.67
    OpenSSL 1.1.1 final
    Nginx 1.15.4 and 1.15.5
     
  19. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:57 PM
    @eva2000 fortunately, something has changed since 70.0.3538.54 (latest beta) to 70.0.3538.67 (final).
    As TLS 1.3 seems to work as it should with the final bits.
     
  20. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    I use the beta version and its 70.0.3538.67.