TLS1.3

Maxim Dounin mdounin at mdounin.ru
Fri Jul 19 16:09:41 UTC 2019


Hello!

On Thu, Jul 18, 2019 at 04:01:39PM -0400, Thomas Ward wrote:

> Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
> TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
> bumped to 1.1.1.  We don't currently have a mechanism
> 
> This means that TLS1.3 is "on by default" with the standard config being
> rolled.  And nginx cannot control TLS1.3 because it's built against the
> previous 1.1.0 libs.
> 
> A request to do a no-change rebuild to allow NGINX has been blocked
> because we're concerned about other TLS 1.3 behaviorisms and whether
> there's any other TLS related behaviors we need to be concerned about
> doing a no-change rebuild against OpenSSL 1.1.1 with this library version.

So, you are:

- Not concerned about switching OpenSSL library to 1.1.1, which is 
  known to introduce multiple behaviour changes, including 
  TLS 1.3 enabled by default.

- Not concerned about using unsupported old nginx version.

- But concerned about doing an nginx rebuild against the library 
  you are running nginx with.

That sounds even more interesting than switching to OpenSSL 1.1.1 alone.

> There's a few considerations here.  We need to make certain that such a
> rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
> going to introduce any additional TLS1.3 behaviors or feature
> functionality that otherwise would not be controlled by OpenSSL under
> the hood.
> 
> Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
> which would be altered or introduced by a rebuild of the 1.14.0 packages
> against OpenSSL 1.1.1 which would otherwise block such a rebuild?

TLS 1.3 is disabled by default in nginx, and that's probably the 
most serious change you'll encounter - after recompilation, TLS 
1.3 will be disabled by default as it should.  I'm not aware of 
any additional behaviour changes.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list