/ Register

Welcome to Centmin Mod Community
Become a Member

SSL QuicTLS seems obsolet

Discussion in 'Feature Requests & Suggestions' started by buik, Apr 15, 2025.

Tags:
Previous Thread Next Thread
Loading...
  1. Apr 15, 2025 #1
    buik

    buik “The best traveler is one without a camera.”

    2,033
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,676
    Local Time:
    11:46 AM
    The QuicTLS repo is archived. It is now read-only: 'This repository was archived by the owner on Apr 10, 2025. It is now read-only.' - GitHub - quictls/openssl: TLS/SSL and crypto library with QUIC APIs

    It seems as they aren't going to release new updates to Quictls, although my effective free time is limited to dive deep into it..

    As of OpenSSL 3.5, there is upstream Quic support. @eva2000 OpenSSL 3.5 support for Centminmod, seems like to me as a welcome addition.
     
  2. Apr 16, 2025 at 8:38 AM #2
    eva2000

    eva2000 Administrator Staff Member

    55,164
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    7:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. Apr 17, 2025 at 12:02 AM #3
    buik

    buik “The best traveler is one without a camera.”

    2,033
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,676
    Local Time:
    11:46 AM
    Polished, that of course depends on to what extent. Does AWS-LC support dual cert these days?

    Code:
            DETECTOPENSSL_ONEONE=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
        DETECTOPENSSL_THREEZERO=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-2 | grep -o 3.0)
        DETECTOPENSSL_THREEONE=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-2 | grep -o 3.1)
        DETECTOPENSSL_THREETWO=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-2 | grep -o 3.2)
        DETECTOPENSSL_THREETHREE=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-2 | grep -o 3.3)
        DETECTOPENSSL_THREEFOUR=$(echo $OPENSSL_QUIC_VERSION  | cut -d . -f1-2 | grep -o 3.4)
    About QuicTLS.
    Your CMM code contains QuicTLS options and so users can still install QuicTLS regardless of the project seems stopped. This does not seem desirable to me in the long run. Users may then be “stuck” with insecure QuicTLS software on one day.
     
  4. Apr 17, 2025 at 5:02 PM #4
    eva2000

    eva2000 Administrator Staff Member

    55,164
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    7:46 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah even if it doesn't a lot of clients and devices support ECDSA and would default to ECDSA even for Nginx configured for dual certs on broken dual cert logic. So would serve ECDSA anyway. But haven't checked for ECDSA/RSA dual cert in AWS-LC lately. Been busy with client work etc :)

    Yeah, it's left for compatibility tests etc and not enabled by default, so hardly anyway will have QuicTLS in use unless they specifically enable it.

    Right now for EL8/EL9, default to system OpenSSL 1.1.1 / 3.3 respectively so left to system updates unless you want to play with Centmin Mod Nginx's other crypto libraries like custom Openssl, BoringSSL, AWS-LC etc
     
  5. Apr 22, 2025 at 6:36 PM #5
    buik

    buik “The best traveler is one without a camera.”

    2,033
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,676
    Local Time:
    11:46 AM
    Seems as Enterprise Linux 10 will be released with OpenSSL 3.5, this seems to me a good option for the CMM future.
     
Previous Thread Next Thread
Loading...

.