Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS v1.3 support #11603

Merged
merged 1 commit into from Aug 30, 2019

Conversation

@ichi-i
Copy link
Contributor

commented Aug 18, 2019

Transport Layer Security (TLS) 1.3 was released in August 2018 and has several improvements over TLS 1.2 (faster handshakes and security improvements).

This would allow to maintain TLS v1.2 compatibility (might want to drop this later) and add support for TLS v1.3.

In order to use TLS v1.3 it is necessary to have Nginx 1.13.0 (or greater) built against OpenSSL 1.1.1 (or greater).

Instances would most likely keep communicating between each other via TLS 1.2 because of Ruby's http.rb gem, but the connection between the instance and its users is going to be faster and more secure.

This change would only affect new installations unless the nginx steps of the configuration process are repeated by the admins of existing instances.

EDIT: I have now been running with this change for 5 days on my instance and I have encountered no issues.

Add TLS v1.3 support
Maintain TLS v1.2 compatibility (might want to drop this later) and add support for TLS v1.3
@angristan

This comment has been minimized.

Copy link
Contributor

commented Aug 18, 2019

Does the HIGH cipher contain TLS 1.3 ciphers?

@ichi-i

This comment has been minimized.

Copy link
Contributor Author

commented Aug 18, 2019

Does the HIGH cipher contain TLS 1.3 ciphers?

It should as far as I know. I am no SSL expert, but after reading docs and running tests on https://www.ssllabs.com the following TLS v1.3 cipher suites are being returned:

  • TLS_AES_256_GCM_SHA384 (0x1302)
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS_AES_128_GCM_SHA256 (0x1301)
@angristan

This comment has been minimized.

Copy link
Contributor

commented Aug 18, 2019

Indeed:

~# openssl version
OpenSSL 1.1.1  11 Sep 2018
~# openssl ciphers -V 'HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA' | grep TLSv1.3
          0x13,0x02 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
@umonaca

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2019

I have tested this on our production server and saw no side-effects. Firefox is showing TLS 1.3 instead of TLS 1.2. Federation still works because TLS 1.2 is in the config as fallback.

@Gargron Gargron merged commit 49f57b5 into tootsuite:master Aug 30, 2019

2 checks passed

build-and-test Workflow: build-and-test
Details
codeclimate All good!
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.