#1533 closed task (duplicate)
Some news about "support configure TLS1.3-Only ciphers"
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | nginx-1.15 |
| Component: | nginx-module | Version: | 1.13.x |
| Keywords: | TLS1.3 new openssl api | Cc: | |
| uname -a: | Linux fox 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.1.1-pre6-dev xx XXX xxxx TLS SNI support enabled configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/openssl --add-module=/usr/local/src/ngx_brotli --with-cc-opt=-DTCP_FASTOPEN=23 |
||
Description
I have noticed this ticket :https://trac.nginx.org/nginx/ticket/1529 , then i have a talk with Rich Salz ( one of leading member of OpenSSL team , https://github.com/richsalz ) ,
He has already confirmed :"It's what we're doing. Will not change. They should support it, hopefully soon"
So , i think nginx should have a plan to support this feature ,thanks.
Screenshoot: https://i.imgur.com/gwVod7G.png
Origin link: https://twitter.com/RichSalz/status/986123531913134080
Change History (9)
comment:2 by , 7 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Thank you for the information. Closing this as a duplicate of #1529.
comment:4 by , 6 years ago
I don't really get the situation
- #1533 (this one) is closed, because it's a duplicate, and "please see planned work";
- but then, #1529 is also closed, because openssl way is "a band aid", but over here it is stated that it's not a band aid, it's the thing;
- and #1670 got closed because tls 1.3 can be configured using different interface, so yeah, it can be, but nginx does not support it.
And openssl.conf solution is not a solution, maybe someone needs to configure it per website, like it can be done with ssl_ciphers directive.
So is it going to be supported?
comment:5 by , 6 years ago
This ticket is closed because it is duplicate of #1529 (the "planned work" comment is from a random person who tried to help). Similarly, ticket #1670 was closed because it is duplicate of #1529 (and the rest of the comment simply explains why what one cannot configure ciphers using the traditional interface). For the most recent status, see comment:11:ticket:1529.
comment:6 by , 6 years ago
So the status of #1529 as "won't fix" is wrong, and you are doing something regarding the issue?
comment:7 by , 6 years ago
The status is correct. We may, however, consider introducing a workaround if OpenSSL will clearly fail to fix this on their side.
comment:9 by , 6 years ago
Just FYI, there are no plans to fix the approach on the OpenSSL side, reference: https://github.com/openssl/openssl/issues/7938.
Please look nginx's roadmap for future planned work:
https://trac.nginx.org/nginx/roadmap