Cloudflare SSL TLS 1.3 explained by the Cloudflare Crypto Team at 33c3

eva2000 · Feb 3, 2017

The Cloudflare talk introduces TLS 1.3 and explains how it works in technical detail, why it is faster and more secure, and touches on its history and current status.

Unfortunately, OpenSSL and LibreSSL haven't implemented TLS 1.3 yet so not working with Nginx HTTPS yet.

Some info on OpenSSL's TLS 1.3 plans in OpenSSL 1.1.1 https://community.centminmod.com/threads/openssl-and-tls-1-3-next.9286/

BamaStangGuy · Feb 3, 2017

I love that company. Looking forward to seeing what else they do.

eva2000 · Feb 3, 2017

Yes Cloudflare's innovation is amazing as to what they bring to the table for web performance and web security. I can imagine, they're eating into complementary competitor's bottom line a lot i.e. CDNs and smaller anti-DDOS/waf providers and not to mention hold off users' server hardware vertical upgrade paths till a lot later !

buik · Feb 3, 2017

eva2000 said: ↑

Unfortunately, OpenSSL and LibreSSL haven't implemented TLS 1.3 yet so not working with Nginx HTTPS yet.
Click to expand...

Even though it was already released in OpenSSL and could work on Nginx. Which of course is not.
It is quite useless ATM as it is not enabled by default on browsers like Chrome stable (stable 56 with tls 1.3 support) etc.

BoringSSL does have version 1.3 but, you need to patch the code to enable 1.3.

buik · Feb 3, 2017

I have done some testing with BoringSSL but it actually makes no sense. Apart from the above is, 1.3 is still draft.

eva2000 · Feb 26, 2017

Well TLS 1.3 ain't perfect yet - Chrome browser connections hanging up on TLS 1.3 connections 694593 - BlueCoat and other proxies hang up during TLS 1.3 - chromium - Monorail

What is the expected result?
Successful connection. Client and proxy may negotiate down to TLS 1.2 instead of TLS 1.3.

What happens instead?
When Chrome attempts to connect via TLS 1.3, BlueCoat hangs up connection.
Click to expand...

For anyone following this issue, we are working on a Chrome update that should resolve by disabling TLS 1.3 in Chrome 56. In the meantime, there are a few other workarounds you may wish to try.

To be clear, ultimately this is an issue with proxies/firewalls that are not compatible with TLS 1.3. Please continue to work with your proxy/firewall vendor to update to a version that is compatible with TLS 1.3. A future version of Chrome will re-enable TLS 1.3.

Short-term workarounds:

1) On your internal DNS server, create a temporary A record that points clients4.google.com at 64.233.186.102. Once that's in place, restart Chrome / reboot Chrome devices a few times. It may take up to 30 minutes and a few restarts but devices should get the update to stop using TLS 1.2. **Important** be sure to remove the DNS A record once this is fixed. Leaving the record in place WILL BREAK DOWN THE LINE.

2) Have the user visit chrome://flags/#ssl-version-max and set to TLS 1.2. This works for Chrome users but not if the problem is occurring on Chrome OS login screen. **Important** be sure users turn this setting back to Default after leaving it on for 1-2 hours. Otherwise the user will not be able to use the more secure TLS 1.3 in the future and is left with a less secure profile.

3) Allow Chrome to connect directly to the Internet for connections to clients4.google.com. This could be done by connecting the device to a tethered phone, using a home network connection, disabling the firewall/proxy that is breaking TLS 1.3 or routing connections to clients4.google.com around this firewall/proxy. Once Chrome is able to connect to clients4.google.com, it should receive the update to disable TLS 1.3 automatically in 1-2 hours time. Restarts may be required.
Click to expand...

eva2000 · Mar 24, 2017

yay https://community.centminmod.com/th...openssl-tls-1-3-development.10898/#post-46728

Log in / Register

Forums

Discover Centmin Mod today

Cloudflare SSL TLS 1.3 explained by the Cloudflare Crypto Team at 33c3

eva2000 Administrator Staff Member

BamaStangGuy Active Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Cloudflare SSL TLS 1.3 explained by the Cloudflare Crypto Team at 33c3

eva2000 Administrator Staff Member

BamaStangGuy Active Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.