On 7/18/19 1:15 PM, Thomas Ward wrote:
> Might be helpful to point at
> https://trac.nginx.org/nginx/ticket/1654#comment:2 and other issues
> which have spurned the request to rebuild downstream.
>
> Which, given that NGINX built against 1.1.0 downstream and OpenSSL
> downstream in Ubuntu with 1.1.1 is set such that TLS 1.3 is "on by
> default" and therefore is just 'available' and enabled but not able to
> be controlled/disabled by NGINX directly, it DOES work with TLS1.3
> connections and ciphers.  We just can't manipulate things.
>
> The developer concern downstream is this rebuild won't introduce any
> other TLS 1.3 behaviors not already present as a result of OpenSSL being
> "TLS1.3 Enabled By Default" which is the current situation.

Thanks for the trac link.

fwiw, here I've

nginx -V
nginx version: nginx/1.17.1 (local build)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
...

yet, despite the build, I'm seeing some problems with TLSv1.3 cipher
usage/config in Nginx.

cref:

https://mta.openssl.org/pipermail/openssl-users/2019-July/010881.html

I've _just_ started poking around with that, and don't know what/where
the problem lies atm. It _seems_ to me an issue with Nginx, but I
simply am unsure ...

Perhaps something i the trac issue will light a bulb for me; I'll take a
closer look.

Thx o/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel