TLS1.3

Thomas Ward teward at thomas-ward.net
Thu Jul 18 20:01:39 UTC 2019


Hello.

Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
bumped to 1.1.1.  We don't currently have a mechanism

This means that TLS1.3 is "on by default" with the standard config being
rolled.  And nginx cannot control TLS1.3 because it's built against the
previous 1.1.0 libs.

A request to do a no-change rebuild to allow NGINX has been blocked
because we're concerned about other TLS 1.3 behaviorisms and whether
there's any other TLS related behaviors we need to be concerned about
doing a no-change rebuild against OpenSSL 1.1.1 with this library version.

There's a few considerations here.  We need to make certain that such a
rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
going to introduce any additional TLS1.3 behaviors or feature
functionality that otherwise would not be controlled by OpenSSL under
the hood.

Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
which would be altered or introduced by a rebuild of the 1.14.0 packages
against OpenSSL 1.1.1 which would otherwise block such a rebuild?


Thomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20190718/6f8946b3/attachment-0001.html>


More information about the nginx-devel mailing list