TLS1.3
Maxim Dounin
mdounin at mdounin.ru
Fri Jul 19 16:09:41 UTC 2019
Hello!
On Thu, Jul 18, 2019 at 04:01:39PM -0400, Thomas Ward wrote:
> Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
> TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
> bumped to 1.1.1. We don't currently have a mechanism
>
> This means that TLS1.3 is "on by default" with the standard config being
> rolled. And nginx cannot control TLS1.3 because it's built against the
> previous 1.1.0 libs.
>
> A request to do a no-change rebuild to allow NGINX has been blocked
> because we're concerned about other TLS 1.3 behaviorisms and whether
> there's any other TLS related behaviors we need to be concerned about
> doing a no-change rebuild against OpenSSL 1.1.1 with this library version.
So, you are:
- Not concerned about switching OpenSSL library to 1.1.1, which is
known to introduce multiple behaviour changes, including
TLS 1.3 enabled by default.
- Not concerned about using unsupported old nginx version.
- But concerned about doing an nginx rebuild against the library
you are running nginx with.
That sounds even more interesting than switching to OpenSSL 1.1.1 alone.
> There's a few considerations here. We need to make certain that such a
> rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
> going to introduce any additional TLS1.3 behaviors or feature
> functionality that otherwise would not be controlled by OpenSSL under
> the hood.
>
> Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
> which would be altered or introduced by a rebuild of the 1.14.0 packages
> against OpenSSL 1.1.1 which would otherwise block such a rebuild?
TLS 1.3 is disabled by default in nginx, and that's probably the
most serious change you'll encounter - after recompilation, TLS
1.3 will be disabled by default as it should. I'm not aware of
any additional behaviour changes.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list