TLS1.3

PGNet Dev pgnet.dev at gmail.com
Thu Jul 18 20:25:45 UTC 2019


On 7/18/19 1:15 PM, Thomas Ward wrote:
> Might be helpful to point at 
> https://trac.nginx.org/nginx/ticket/1654#comment:2 and other issues 
> which have spurned the request to rebuild downstream.
> 
> Which, given that NGINX built against 1.1.0 downstream and OpenSSL 
> downstream in Ubuntu with 1.1.1 is set such that TLS 1.3 is "on by 
> default" and therefore is just 'available' and enabled but not able to 
> be controlled/disabled by NGINX directly, it DOES work with TLS1.3 
> connections and ciphers.  We just can't manipulate things.
> 
> The developer concern downstream is this rebuild won't introduce any 
> other TLS 1.3 behaviors not already present as a result of OpenSSL being 
> "TLS1.3 Enabled By Default" which is the current situation.

Thanks for the trac link.

fwiw,  here I've

  nginx -V
   nginx version: nginx/1.17.1 (local build)
   built with OpenSSL 1.1.1c  28 May 2019
   TLS SNI support enabled
   ...

yet, despite the build, I'm seeing some problems with TLSv1.3 cipher 
usage/config in Nginx.

cref:

   https://mta.openssl.org/pipermail/openssl-users/2019-July/010881.html

I've _just_ started poking around with that, and don't know what/where 
the problem lies atm.  It _seems_ to me an issue with Nginx, but I 
simply am unsure ...

Perhaps something i the trac issue will light a bulb for me; I'll take a 
closer look.

Thx o/


More information about the nginx-devel mailing list