Opened 5 years ago
Closed 5 years ago
Last modified 4 years ago
#1533 closed task (duplicate)
Some news about "support configure TLS1.3-Only ciphers"
|Reported by:||Owned by:|
|Keywords:||TLS1.3 new openssl api||Cc:|
|uname -a:||Linux fox 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux|
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.1.1-pre6-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/openssl --add-module=/usr/local/src/ngx_brotli --with-cc-opt=-DTCP_FASTOPEN=23
I have noticed this ticket :https://trac.nginx.org/nginx/ticket/1529 , then i have a talk with Rich Salz ( one of leading member of OpenSSL team , https://github.com/richsalz ) ,
He has already confirmed :"It's what we're doing. Will not change. They should support it, hopefully soon"
So , i think nginx should have a plan to support this feature ,thanks.
Origin link: https://twitter.com/RichSalz/status/986123531913134080
Change History (9)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
|Status:||new → closed|
Thank you for the information. Closing this as a duplicate of #1529.
comment:3 by , 5 years ago
|Milestone:||1.15 → nginx-1.15|
comment:4 by , 4 years ago
I don't really get the situation
- #1533 (this one) is closed, because it's a duplicate, and "please see planned work";
- but then, #1529 is also closed, because openssl way is "a band aid", but over here it is stated that it's not a band aid, it's the thing;
- and #1670 got closed because tls 1.3 can be configured using different interface, so yeah, it can be, but nginx does not support it.
And openssl.conf solution is not a solution, maybe someone needs to configure it per website, like it can be done with ssl_ciphers directive.
So is it going to be supported?
comment:5 by , 4 years ago
This ticket is closed because it is duplicate of #1529 (the "planned work" comment is from a random person who tried to help). Similarly, ticket #1670 was closed because it is duplicate of #1529 (and the rest of the comment simply explains why what one cannot configure ciphers using the traditional interface). For the most recent status, see comment:11:ticket:1529.
comment:6 by , 4 years ago
So the status of #1529 as "won't fix" is wrong, and you are doing something regarding the issue?
comment:7 by , 4 years ago
The status is correct. We may, however, consider introducing a workaround if OpenSSL will clearly fail to fix this on their side.
comment:8 by , 4 years ago
Got it, thanks for the explanation!
comment:9 by , 4 years ago
Just FYI, there are no plans to fix the approach on the OpenSSL side, reference: https://github.com/openssl/openssl/issues/7938.
Please look nginx's roadmap for future planned work: