Want more timely Centmin Mod News Updates?
Become a Member

OpenSSL OpenSSL 1.1.1 Released with TLS 1.3 Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 11, 2018.

  1. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    7:27 AM
    yes

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     
    • Like Like x 2
  2. Sunka

    Sunka Well-Known Member

    1,011
    280
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +458
    Local Time:
    7:27 AM
    Nginx 1.15.0
    MariaDB 10.2.15
    So, to use TLSv1.3 we have to do 3 things:
    1. recompile nginx if we use older version (1.15.3) or just upgrade nginx to newest version

    2. manually update ssl_ciphers to:
      Code:
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    3. update the file /usr/local/nginx/conf/ssl_include.conf to manualy add the TLS 1.3
      Code:
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    4. restart nginx after that

    Do we need anything else to do?
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:27 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For TLS 1.3, yup steps 1 to 3 only :)
     
    • Informative Informative x 1
  4. ahmed

    ahmed Member

    241
    19
    18
    Feb 21, 2017
    Ratings:
    +26
    Local Time:
    7:27 AM
    it worked for me without step 2, however, i just modified it now, does it matter?
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:27 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    step 2 ? ssl_ciphers update ? I'd do the update :)
     
    • Like Like x 1
  6. BamaStangGuy

    BamaStangGuy Active Member

    533
    161
    43
    May 25, 2014
    Ratings:
    +214
    Local Time:
    12:27 AM
    If we are using Cloudflare SSL do we need to add ssl_ciphers line?

    This is currently the only lines I use for SSL with Cloudflare.

    Code:
            ssl_certificate      /usr/local/nginx/conf/ssl/cf.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/cf.key;
    
            ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare.crt;
            ssl_verify_client on;
    
            ssl_early_data on;
            proxy_set_header Early-Data $ssl_early_data;
     
  7. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    3:27 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I'd update the ssl_ciphers line but remove
    Code (Text):
           ssl_early_data on;
           proxy_set_header Early-Data $ssl_early_data;
    

    Cloudflare doesn't support using Early Data session resumption (0-RTT) or TLS 1.3 for communication between Cloudflare and Centmin Mod Nginx origin server as CF is using TLS 1.3 draft 22 right now and even if they update to TLS 1.3 rfc final, they have said they won't support 0-RTT for CF to origin communications.
     
..