New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TLS 1.3 #228

Open
kaze87 opened this Issue Sep 22, 2016 · 14 comments

Comments

Projects
None yet
9 participants
@kaze87

kaze87 commented Sep 22, 2016

Will LibreSSL wait for OpenSSL to add TLS 1.3 support?
openssl/openssl#963

@4a6f656c

This comment has been minimized.

Member

4a6f656c commented Sep 27, 2016

It will happen at some point, but there's currently no specific timeline.

@myfreeweb

This comment has been minimized.

myfreeweb commented Jan 9, 2017

@ThomasAlxDmy

This comment has been minimized.

ThomasAlxDmy commented Mar 4, 2017

+1 on that thread. Anyone has a timeline (or a rough estimation)?

@leonklingele

This comment has been minimized.

leonklingele commented Mar 14, 2017

OpenSSL plans to ship TLS 1.3 in about three weeks (April 5): https://blogs.akamai.com/2017/01/tls-13-ftw.html

@4a6f656c

This comment has been minimized.

Member

4a6f656c commented Apr 30, 2017

As noted in https://www.mail-archive.com/openssl-dev@openssl.org/msg46709.html, OpenSSL has code that is "available" rather than "released". That aside, TLSv1.3 is still a draft and is not yet standardised. Additionally, we are well aware of the draft implementations in BoringSSL and OpenSSL.

@myfreeweb

This comment has been minimized.

myfreeweb commented Apr 30, 2017

Apparently nginx already supports 1.3 though?? Somehow

@leonklingele

This comment has been minimized.

leonklingele commented Apr 30, 2017

nginx has only added support for TLS1.3 in the ssl_protocols directive. nginx/nginx@9a37eb3

@bob-beck

This comment has been minimized.

Member

bob-beck commented May 1, 2017

You know, I am really thinking that those who are dying for a draft implementation of a not yet ratified standard could run code from other projects with a proven track record of draft quality implementations of not yet ratified standards....

@nimbius

This comment has been minimized.

nimbius commented Mar 11, 2018

TLSv1.3 is still a draft and is not yet standardised largely due to industries that make a lucrative trade on SSL/TLS intercept products for enterprises not yet knowing how to "break" the protocol and allow it to properly proxy across their appliances.

Please dont let draft prevent the inclusion of an important advancement of the protocol.

@bob-beck

This comment has been minimized.

Member

bob-beck commented Mar 24, 2018

@bob-beck

This comment has been minimized.

Member

bob-beck commented Mar 24, 2018

We will support 1.3 once the standard is firmed up and finalized (i.e. ceases to be coopted by vendors making changes to allow for people to continue to run moribund middle boxes that can't recognize a new protocol on the wire) Since there is effectively nothing wrong with TLS 1.2 with a sanely chosen cipher suite today, we believe a clean careful implementation is more beneficial than early adoption.

@nimbius

This comment has been minimized.

nimbius commented Mar 25, 2018

FWIW 1.3 was finalized and approved by the IETF last wednesday.
https://www.ietf.org/mail-archive/web/ietf-announce/current/msg17592.html
interesting inclusion of a controversial feature, 0-RTT.

please check:
E.5. Replay Attacks on 0-RTT

in my opinion this should probably remain a secure-by-default "off" feature unless a gas leak in the users office has convinced them to enable it for some reason.

Thanks again for your dedication and careful consideration.

@libressl-portable libressl-portable locked as off topic and limited conversation to collaborators Mar 25, 2018

@fabianfrz fabianfrz referenced this issue Aug 15, 2018

Open

net/haproxy: add support for TLS 1.3 #790

0 of 2 tasks complete

@libressl-portable libressl-portable unlocked this conversation Sep 4, 2018

@frebib

This comment has been minimized.

frebib commented Nov 2, 2018

Is there a plan/roadmap for TLS 1.3?

angristan added a commit to angristan/nginx-autoinstall that referenced this issue Dec 12, 2018

@pkubaj

This comment has been minimized.

pkubaj commented Dec 18, 2018

What is the status of TLSv1.3 in LibreSSL 2.9.0? I can see it's in the source, but disabled by default.

Is it incomplete yet, or just not tested thoroughly? If you need testers, I can compile with LIBRESSL_HAS_TLS1_3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment