TLS1.3
Thomas Ward
teward at thomas-ward.net
Fri Jul 19 16:11:48 UTC 2019
On 7/19/19 12:09 PM, Maxim Dounin wrote:
> Hello!
>
> On Thu, Jul 18, 2019 at 04:01:39PM -0400, Thomas Ward wrote:
>
>> Downstream, in Ubuntu, we've got NGINX 1.14.0 in the repositories, and
>> TLS 1.3 enabled in the bionic-updates repository due to OpenSSL being
>> bumped to 1.1.1. We don't currently have a mechanism
>>
>> This means that TLS1.3 is "on by default" with the standard config being
>> rolled. And nginx cannot control TLS1.3 because it's built against the
>> previous 1.1.0 libs.
>>
>> A request to do a no-change rebuild to allow NGINX has been blocked
>> because we're concerned about other TLS 1.3 behaviorisms and whether
>> there's any other TLS related behaviors we need to be concerned about
>> doing a no-change rebuild against OpenSSL 1.1.1 with this library version.
> So, you are:
>
> - Not concerned about switching OpenSSL library to 1.1.1, which is
> known to introduce multiple behaviour changes, including
> TLS 1.3 enabled by default.
>
> - Not concerned about using unsupported old nginx version.
>
> - But concerned about doing an nginx rebuild against the library
> you are running nginx with.
>
> That sounds even more interesting than switching to OpenSSL 1.1.1 alone.
That's a misconception - I'm working other mechanisms to provide
'updated' versions - but the problem is the 'stable release' process
downstream (just like in Debian, CentOS, etc. it's a headache).
>
>> There's a few considerations here. We need to make certain that such a
>> rebuild to allow NGINX to control TLS 1.3 protocol or ciphers isn't
>> going to introduce any additional TLS1.3 behaviors or feature
>> functionality that otherwise would not be controlled by OpenSSL under
>> the hood.
>>
>> Is the NGINX team aware of any such 'extra' behaviors regarding TLS 1.3
>> which would be altered or introduced by a rebuild of the 1.14.0 packages
>> against OpenSSL 1.1.1 which would otherwise block such a rebuild?
> TLS 1.3 is disabled by default in nginx, and that's probably the
> most serious change you'll encounter - after recompilation, TLS
> 1.3 will be disabled by default as it should. I'm not aware of
> any additional behaviour changes.
Thanks for this information - this is what I was primarily looking for
an answer for.
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20190719/073d2638/attachment-0001.html>
More information about the nginx-devel
mailing list