-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC 8446] Add support for TLS 1.3 #388
Comments
Using milestone instead. |
Link to the milestone: https://github.com/awslabs/s2n/milestone/1 It's currently empty, could we get a brief update for those of us following from outside the project? Thanks in advance. |
We're working on it. We'll start opening Pull Requests for TLS 1.3 once the RFC is finalized and out of draft mode. |
Looks like TLS 1.3 is now officially a RFC: https://www.rfc-editor.org/info/rfc8446 😄 |
Any timeline for the TLS 1.3 release from s2n? |
We have a goal to ship it in 2018, and we're happy for help! Some TLS1.3 work is already in progress, and there are even commits made already that are preparatory, such as re-organizing the core state machine and adding HKDF. The reasons for waiting are a combination of AWS policy, where we tend to avoid running experimental protocols in production, and waiting until a version of OpenSSL is ready so that end-to-end compatibility and regression tests with another implementation can be present. |
Thanks for the prompt reply. Is it possible to try out a beta while waiting for the final release? Maybe this is against the AWS policy but it would facilitate some implementation work that relies on s2n. |
I finished reading all ~160 pages of the TLS 1.3 RFC last week and highlighted all the parts that are new or changed from TLS 1.2 as I was reading it, but I haven't had time yet to sit down and create GitHub Issues for everything yet. I'm planning on going through my highlights and creating GitHub issues for all the TLS 1.3 work sometime soon (hopefully in the next week). Edit: Github Issues created here. |
So what's the situation with this? Almost year has gone by and nothing has happened to tls1.3 support? It would be nice to get less round-trips to lessen the time to first byte. |
We're working on it now as it happens :) This did get deprioritized a bit, based on a mix of things. In short: we wanted to perform more analysis of TLS1.3 (and in fact found a small issue) and some other priorities over took it. |
@colmmacc If I may, what was the "small issue"? |
I believe the issues Colm was referring to were the following:
|
Any news on the TLS 1.3 progress? |
I'd very much like to know the same. |
We are doing good progress on TLS 1.3. You can track our effort by checking this project https://github.com/awslabs/s2n/projects/6 |
For people interested, the new project seems to be https://github.com/awslabs/s2n/projects/9 |
Will that project be sufficient to actually roll out working TLSv1.3 in AWS ALBs, CloudFront, et al.? Considering that the prior project is long done, and earlier in this thread the claim was that it would be out in 2018 (which, unless one of the tickets includes time travel, obvs is not happening)... |
We are in August 2020 :) Any light on the TLSv1.3 release ? |
I would check the projects here: https://github.com/awslabs/s2n/projects |
Is there an estimated ETA for ALB TLS 1.3 support? |
@dougch Separately, I'm curious about ETA for TLS_CHACHA20_POLY1305_SHA256 on the ALB <-> Backend side. (Not a high priority, just a curiosity, particularly with respect to arm-based EC2 instances.) |
And now it's August 2021... |
Amazon is a small startup with barely enough funding to get more than three engs full-time, be understanding guys. |
@dougch for me its being supported here https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html Using part 3 has now been closed, but I still can't use tls 1.3 |
Thank you for your comments. |
Would it be possible to add this as a security policy then ? |
I contacted the ALB team and asked them to reach out to you and provide more details about their TLS1.3 plans. |
On AMI Linux 2, if I do a |
AWS Team, what are the plans for adding support to TLS1.3 on AWS ALB? I have a customer insisting on the same to be security compliant. AWS NLB supports it for long time and I don't see any roadmap for ALB yet. |
NLB listener support for tls1.3 has landed https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies late last year or early this year. thanks 👍🏼 |
I am looking for TLS 1.3 on ALB and since it is yet not available, I am using NLB - ALB bridging to achieve TLS 1.3. Here is the quick view of the architecture. I did not use NLB with ALB as Target group because it only supports TCP 443 as protocol which would mean that TLS termination happens at ALB instead and I still end up with TLS 1.2 policy on ALB. |
Unfortunately, I'm not seeing that option in my ALB settings (us-east-1). 😞 Also the ALB docs have not been updated and still recommend ELBSecurityPolicy-2016-08. Maybe the updates haven't rolled out to all the accounts/regions/zones yet. 🤷 |
@rnhurt I guess it didn't apply to all regions. I hope to have it rolled out to all regions soon. |
Its there on the CLI aws --region=ap-northeast-2 elbv2 describe-ssl-policies | grep -B 8 TLSv1.3 |
Yup, I can see it in the CLI for us-east-1 but not in the console (yet).
|
Official Doc Application Load Balancer now supports TLS 1.3 is here https://aws.amazon.com/about-aws/whats-new/2023/03/application-load-balancer-tls-1-3/ |
Placeholder Issue to track all of the work that we need to do for adding support for TLS 1.3
The text was updated successfully, but these errors were encountered: