TLS 1.3

Now that TLS 1.3 has been approved, what is the status of using it with Apache? Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year ago.


Re: TLS 1.3

By Stefan Eissing at 03/28/2018 - 07:18

Glad you asked: I just committed r1827912 into trunk that adds support for TLSv1.3 when linking against OpenSSL v.1.1.1-pre3. This does allow TLSv1.3 clients to talk that version to the server, but it will not enable any fancy early data or such. There is more support needed in the server to protect against replay attacks etc.

Maybe some people who link against other SSL libraries want to have a look and see what needs changing to work with those. Libressl is the most famous for requiring special attention here.

One the change seems ok, I'll propose it for backport into the next 2.4.x release.



Re: TLS 1.3

By Dave at 03/28/2018 - 11:02


I didn't know TLS 1.3 was out, thought it was next year before we'd
see it. What are some advantages of 1.3?


On 3/28/18, Stefan Eissing <stefan. ... at greenbytes dot de> wrote:

Re: TLS 1.3

By LuKreme at 03/29/2018 - 04:05

On 2018-03-28 (09:02 MDT), David Mehler <dave. ... at gmail dot com> wrote:
Faster. Less kruft. Drops many near-EOL cryptos. But the main one is that is allows Perfect Forward Secrecy (PFS) which means that even is someone captures the traffic and stores it, and even if they interfere with the traffic actively at the time of communication, and then at some later time gets access to the private keys used by the client and the server, they STILL can't decrypt it.


This is kind of the holy grail in cryptography.

Re: Re: TLS 1.3

By Michael A. Peters at 03/29/2018 - 04:17

On 03/29/2018 01:05 AM, @lbutlr wrote:
Not just allows PFS, so does TLS 1.2 and with TLS 1.2 PFS cyphers are
all I ever use. TLS 1.3 *mandates* PFS so you don't accidentally enable
a cipher that does not have it, and that is a HUGE benefit.

Re: TLS 1.3

By LuKreme at 03/29/2018 - 22:25

On Mar 29, 2018, at 02:17, Michael A. Peters < ... at domblogger dot net> wrote:
Yes, sorry about that.

Re: TLS 1.3

By Daniel Ferradal at 03/28/2018 - 11:43

briefly -> "some benefits that involve some problems that need the
server to support something to prevent them"

And now more seriously I read a quick explanation on the benefits on
twitter yesterday, I'm sure there are more authorizative sources but
it seems like a quick way to catch up if you are interested.

<a href="" title=""></a>

2018-03-28 17:02 GMT+02:00 David Mehler <dave. ... at gmail dot com>: