Create a TLS 1.3 security enhancement for nginx

[schoen]

Apparently nginx has implemented TLS 1.3 and you have to turn it on in the configuration. (I don't know what happens if you try to enable it with an older version of nginx without TLS 1.3 support—apparently it may have been syntactically invalid before the nginx 1.13 release?)

It would be useful to have an enhancement that enables this in a Certbot-edited nginx configuration if it isn't already enabled, perhaps with some kind of check for the software environment to ensure that it would actually work and not make the configuration invalid!

I also don't know how this affects ciphersuites, since the supported ciphersuites in TLS 1.3 are different from earlier versions.

[schoen]

As an update, apparently the people responsible for the Mozilla configuration recommendations at

https://mozilla.github.io/server-side-tls/ssl-config-generator/

are currently discussing how and when to incorporate TLS 1.3 in those recommendations. Since we normally follow these recommendations, the current plan is to wait for 1.3 to be recommended by Mozilla there and then incorporate that automatically in our configuration defaults (as far as practicable), rather than creating a separate security enhancement.

[obendev]

Is certbot depending on openssl?
They just released 1.1.1 with TLS 1.3 support > https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1
https://wiki.openssl.org/index.php/TLS1.3

Update: Just found out that 1.1.1 is also LTS: https://www.openssl.org/blog/blog/2018/09/11/release111/

Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible.

[iofu728]

I am looking forward to wait certbot support TLS1.3.

[obendev]

apache2 now also supports TLS 1.3 in version 2.4.36 with openssl 1.1.1
https://github.com/apache/httpd/blob/2.4.36/CHANGES

Apparently the people responsible for the Mozilla configuration recommendations are discussing a bit too long.
So many services support TLS 1.3 now...

Chrome 70 also supports the final version of TLS 1.3 now... And the next days Firefox will get the update as well.

[michaelsstuff]

Just tried it with OpenSSL 1.1.1 11 Sep 2018, and run into a problem:

Traceback (most recent call last): File "/usr/bin/certbot", line 7, in <module> from certbot.main import main File "/usr/lib/python3.6/site-packages/certbot/main.py", line 10, in <module> import josepy as jose File "/usr/lib/python3.6/site-packages/josepy/__init__.py", line 44, in <module> from josepy.interfaces import JSONDeSerializable File "/usr/lib/python3.6/site-packages/josepy/interfaces.py", line 8, in <module> from josepy import errors, util File "/usr/lib/python3.6/site-packages/josepy/util.py", line 4, in <module> import OpenSSL File "/usr/lib/python3.6/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import crypto, SSL File "/usr/lib/python3.6/site-packages/OpenSSL/crypto.py", line 16, in <module> from OpenSSL._util import ( File "/usr/lib/python3.6/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module> from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: SSL_CTX_set_psk_client_callback: symbol not found

Seems to be related to this https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_client_callback.html

[stale]

To help us better see what issues are still affecting our users, this issue has been automatically marked as stale. If you still have this issue with an up-to-date version of Certbot and are interested in seeing it resolved, please add a comment letting us know. If there is no further activity, this issue will be automatically closed.

[bmw]

This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look.