Welcome! Log In Create A New Profile

Advanced

Re: TLS1.3

Previous Message Next Message
Forum List Message List New Topic Print View
Thomas Ward
July 19, 2019 12:12PM
On 7/19/19 12:09 PM, Maxim Dounin wrote:
> Hello!
>
> On Thu, Jul 18, 2019 at 04:01:39PM -0400, Thomas Ward wrote:
>
>> Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
>> TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
>> bumped to 1.1.1.  We don't currently have a mechanism
>>
>> This means that TLS1.3 is "on by default" with the standard config being
>> rolled.  And nginx cannot control TLS1.3 because it's built against the
>> previous 1.1.0 libs.
>>
>> A request to do a no-change rebuild to allow NGINX has been blocked
>> because we're concerned about other TLS 1.3 behaviorisms and whether
>> there's any other TLS related behaviors we need to be concerned about
>> doing a no-change rebuild against OpenSSL 1.1.1 with this library version.
> So, you are:
>
> - Not concerned about switching OpenSSL library to 1.1.1, which is
> known to introduce multiple behaviour changes, including
> TLS 1.3 enabled by default.
>
> - Not concerned about using unsupported old nginx version.
>
> - But concerned about doing an nginx rebuild against the library
> you are running nginx with.
>
> That sounds even more interesting than switching to OpenSSL 1.1.1 alone.
That's a misconception - I'm working other mechanisms to provide
'updated' versions - but the problem is the 'stable release' process
downstream (just like in Debian, CentOS, etc. it's a headache).
>
>> There's a few considerations here.  We need to make certain that such a
>> rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
>> going to introduce any additional TLS1.3 behaviors or feature
>> functionality that otherwise would not be controlled by OpenSSL under
>> the hood.
>>
>> Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
>> which would be altered or introduced by a rebuild of the 1.14.0 packages
>> against OpenSSL 1.1.1 which would otherwise block such a rebuild?
> TLS 1.3 is disabled by default in nginx, and that's probably the
> most serious change you'll encounter - after recompilation, TLS
> 1.3 will be disabled by default as it should. I'm not aware of
> any additional behaviour changes.

Thanks for this information - this is what I was primarily looking for
an answer for.


Thomas

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

TLS1.3

Thomas Ward 330 July 18, 2019 04:02PM

Re: TLS1.3

PGNet Dev 143 July 18, 2019 04:10PM

Re: TLS1.3

Thomas Ward 138 July 18, 2019 04:16PM

Re: TLS1.3

PGNet Dev 153 July 18, 2019 04:26PM

Re: TLS1.3

Maxim Dounin 137 July 19, 2019 12:10PM

Re: TLS1.3

Thomas Ward 200 July 19, 2019 12:12PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 215
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready