TLSv1.3 by default?
Maxim Dounin
mdounin at mdounin.ru
Fri Nov 23 16:51:00 UTC 2018
Hello!
On Fri, Nov 23, 2018 at 08:43:03AM -0500, Olaf van der Spek wrote:
> Hi,
>
> Why isn't 1.3 enabled by default (when available)?
>
> Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]
> [TLSv1.3];
> Default:
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
The main reason is that when it was implemented, TLSv1.3 RFC
wasn't yet finalized, and TLSv1.3 was only available via various
drafts, and only with pre-release versions of OpenSSL.
Now with RFC 8446 published and OpenSSL 1.1.1 with TLSv1.3
released this probably can be reconsidered. On the other hand,
enabling TLSv1.3 is known to break at least some configurations,
see here for an example:
https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
Also, due to different approach to configure ciphers, "ssl_ciphers
aNULL;" will no longer work as a way to indicate no SSL support
with TLSv1.3 enabled (https://trac.nginx.org/nginx/ticket/195).
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list