Nginx has TLS 1.3 0-RTT support

igrigorik / istlsfastyet.com

Is TLS fast yet? Yes, yes it is.

https://istlsfastyet.com

421 stars 89 forks source link

Nginx has TLS 1.3 0-RTT support #180

Closed bruxodasilva closed 4 years ago

bruxodasilva commented 5 years ago

Nginx on versions 1.15.4+ has full TLS 1.3 support, with 0-RTT: https://community.letsencrypt.org/t/tls-1-3-in-nginx/75148/4

igrigorik commented 5 years ago

Yay! Are you aware of any public announcements or official docs we can point to?

dferreira-cvl commented 5 years ago

Sure! http://nginx.org/en/CHANGES

"Changes with nginx 1.15.3 28 Aug 2018

*) Feature: now TLSv1.3 can be used with BoringSSL.

*) Feature: the "ssl_early_data" directive, currently available with
   BoringSSL."

ssl_early_data refers to https://tools.ietf.org/html/rfc8446#section-2.3

Best

centminmod commented 5 years ago

Yup FYI https://nginx.org/en/CHANGES

Nginx 1.15.4 added OpenSSL 1.1.1 TLS v1.3 0-RTT (early data) support
Nginx 1.15.3 added BoringSSL TLS v1.3 0-RTT (early data) support

I have Nginx working with OpenSSL 1.1.1 or BoringSSL TLS 1.3 0-RTT early data https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/

Official Nginx docs for ssl_early_data directive at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data

Enables or disables TLS 1.3 early data. Requests sent within early data are subject to replay attacks. To protect against such attacks at the application layer, the $ssl_early_data variable should be used. proxy_set_header Early-Data $ssl_early_data;

igrigorik commented 5 years ago

Nice, thanks for the links! Let's link..

0-RTT entry to: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
1.3 entry to: grr.. there is no way to deep link to release notes for specific release?

centminmod commented 5 years ago

there is no way to deep link to release notes for specific release?

yeah no way on change log page

felixbuenemann commented 5 years ago

Nice, thanks for the links! Let's link..

1.3 entry to: grr.. there is no way to deep link to release notes for specific release?

@igrigorik Why not link to http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols:

The TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.

The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.

igrigorik commented 5 years ago

@felixbuenemann +1 to that. Anyone willing to put together a PR to update these?

styfle commented 4 years ago

Looks like this was added in #186 already (see line 282)

igrigorik commented 4 years ago

Good catch, yep. Closing.