Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#1533 closed task (duplicate)

Some news about "support configure TLS1.3-Only ciphers"

Reported by: firedoger@… Owned by:
Priority: minor Milestone: nginx-1.15
Component: nginx-module Version: 1.13.x
Keywords: TLS1.3 new openssl api Cc:
uname -a: Linux fox 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.1.1-pre6-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/openssl --add-module=/usr/local/src/ngx_brotli --with-cc-opt=-DTCP_FASTOPEN=23


I have noticed this ticket : , then i have a talk with Rich Salz ( one of leading member of OpenSSL team , ) ,

He has already confirmed :"It's what we're doing. Will not change. They should support it, hopefully soon"

So , i think nginx should have a plan to support this feature ,thanks.


Origin link:

Change History (9)

comment:1 by Ilyas Bakirov, 6 years ago

Please look nginx's roadmap for future planned work:

Last edited 6 years ago by Ilyas Bakirov (previous) (diff)

comment:2 by Maxim Dounin, 6 years ago

Resolution: duplicate
Status: newclosed

Thank you for the information. Closing this as a duplicate of #1529.

comment:3 by maxim, 6 years ago

Milestone: 1.15nginx-1.15

Milestone renamed

comment:4 by rbaranauskas@…, 5 years ago

I don't really get the situation

  • #1533 (this one) is closed, because it's a duplicate, and "please see planned work";
  • but then, #1529 is also closed, because openssl way is "a band aid", but over here it is stated that it's not a band aid, it's the thing;
  • and #1670 got closed because tls 1.3 can be configured using different interface, so yeah, it can be, but nginx does not support it.

And openssl.conf solution is not a solution, maybe someone needs to configure it per website, like it can be done with ssl_ciphers directive.

So is it going to be supported?

comment:5 by Maxim Dounin, 5 years ago

This ticket is closed because it is duplicate of #1529 (the "planned work" comment is from a random person who tried to help). Similarly, ticket #1670 was closed because it is duplicate of #1529 (and the rest of the comment simply explains why what one cannot configure ciphers using the traditional interface). For the most recent status, see comment:11:ticket:1529.

comment:6 by rbaranauskas@…, 5 years ago

So the status of #1529 as "won't fix" is wrong, and you are doing something regarding the issue?

comment:7 by Maxim Dounin, 5 years ago

The status is correct. We may, however, consider introducing a workaround if OpenSSL will clearly fail to fix this on their side.

comment:8 by rbaranauskas@…, 5 years ago

Got it, thanks for the explanation!

comment:9 by rbaranauskas@…, 5 years ago

Just FYI, there are no plans to fix the approach on the OpenSSL side, reference:

Note: See TracTickets for help on using tickets.