TLS1.3

Thomas Ward teward at thomas-ward.net
Fri Jul 19 16:11:48 UTC 2019


On 7/19/19 12:09 PM, Maxim Dounin wrote:
> Hello!
>
> On Thu, Jul 18, 2019 at 04:01:39PM -0400, Thomas Ward wrote:
>
>> Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
>> TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
>> bumped to 1.1.1.  We don't currently have a mechanism
>>
>> This means that TLS1.3 is "on by default" with the standard config being
>> rolled.  And nginx cannot control TLS1.3 because it's built against the
>> previous 1.1.0 libs.
>>
>> A request to do a no-change rebuild to allow NGINX has been blocked
>> because we're concerned about other TLS 1.3 behaviorisms and whether
>> there's any other TLS related behaviors we need to be concerned about
>> doing a no-change rebuild against OpenSSL 1.1.1 with this library version.
> So, you are:
>
> - Not concerned about switching OpenSSL library to 1.1.1, which is 
>   known to introduce multiple behaviour changes, including 
>   TLS 1.3 enabled by default.
>
> - Not concerned about using unsupported old nginx version.
>
> - But concerned about doing an nginx rebuild against the library 
>   you are running nginx with.
>
> That sounds even more interesting than switching to OpenSSL 1.1.1 alone.
That's a misconception - I'm working other mechanisms to provide
'updated' versions - but the problem is the 'stable release' process
downstream (just like in Debian, CentOS, etc. it's a headache).
>
>> There's a few considerations here.  We need to make certain that such a
>> rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
>> going to introduce any additional TLS1.3 behaviors or feature
>> functionality that otherwise would not be controlled by OpenSSL under
>> the hood.
>>
>> Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
>> which would be altered or introduced by a rebuild of the 1.14.0 packages
>> against OpenSSL 1.1.1 which would otherwise block such a rebuild?
> TLS 1.3 is disabled by default in nginx, and that's probably the 
> most serious change you'll encounter - after recompilation, TLS 
> 1.3 will be disabled by default as it should.  I'm not aware of 
> any additional behaviour changes.

Thanks for this information - this is what I was primarily looking for
an answer for.


Thomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20190719/073d2638/attachment-0001.html>


More information about the nginx-devel mailing list