Welcome! Log In Create A New Profile

Advanced

Re: TLSv1.3 by default?

Maxim Dounin
November 23, 2018 11:52AM
Hello!

On Fri, Nov 23, 2018 at 08:43:03AM -0500, Olaf van der Spek wrote:

> Hi,
>
> Why isn't 1.3 enabled by default (when available)?
>
> Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]
> [TLSv1.3];
> Default:
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

The main reason is that when it was implemented, TLSv1.3 RFC
wasn't yet finalized, and TLSv1.3 was only available via various
drafts, and only with pre-release versions of OpenSSL.

Now with RFC 8446 published and OpenSSL 1.1.1 with TLSv1.3
released this probably can be reconsidered. On the other hand,
enabling TLSv1.3 is known to break at least some configurations,
see here for an example:

https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share

Also, due to different approach to configure ciphers, "ssl_ciphers
aNULL;" will no longer work as a way to indicate no SSL support
with TLSv1.3 enabled (https://trac.nginx.org/nginx/ticket/195).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

TLSv1.3 by default?

Olaf van der Spek November 23, 2018 08:43AM

Re: TLSv1.3 by default?

Maxim Dounin November 23, 2018 11:52AM

Re: TLSv1.3 by default?

Olaf van der Spek November 23, 2018 01:05PM

Re: TLSv1.3 by default?

Maxim Dounin November 23, 2018 02:00PM

Re: TLSv1.3 by default?

Olaf van der Spek November 23, 2018 03:39PM

Re: TLSv1.3 by default?

Olaf van der Spek November 28, 2018 03:07AM

Re: TLSv1.3 by default?

Maxim Dounin November 28, 2018 09:20AM

Re: TLSv1.3 by default?

Olaf van der Spek November 28, 2018 02:29PM

Re: TLSv1.3 by default?

Maxim Dounin November 28, 2018 02:40PM

Re: TLSv1.3 by default?

Olaf van der Spek November 28, 2018 03:28PM

Re: TLSv1.3 by default?

Olaf van der Spek May 17, 2020 12:13PM

Re: TLSv1.3 by default?

Maxim Dounin June 06, 2020 10:24PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 169
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready