TLSv1.3 by default?

Discussion:

TLSv1.3 by default?

Olaf van der Spek

2018-11-23 13:43:03 UTC

Hi,

Why isn't 1.3 enabled by default (when available)?

Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]
[TLSv1.3];
Default:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282098#msg-282098

Maxim Dounin

2018-11-23 16:51:00 UTC

Permalink

Hello!

Post by Olaf van der Spek
Hi,
Why isn't 1.3 enabled by default (when available)?
Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]
[TLSv1.3];
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

The main reason is that when it was implemented, TLSv1.3 RFC
wasn't yet finalized, and TLSv1.3 was only available via various
drafts, and only with pre-release versions of OpenSSL.

Now with RFC 8446 published and OpenSSL 1.1.1 with TLSv1.3
released this probably can be reconsidered. On the other hand,
enabling TLSv1.3 is known to break at least some configurations,
see here for an example:

https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share

Also, due to different approach to configure ciphers, "ssl_ciphers
aNULL;" will no longer work as a way to indicate no SSL support
with TLSv1.3 enabled (https://trac.nginx.org/nginx/ticket/195).

--
Maxim Dounin
http://mdounin.ru/

Olaf van der Spek

2018-11-23 18:05:55 UTC

Permalink

What's the recommendation for distros? Should they explicitly enable
TLSv1.3?
Ideally they'd just stick to upstream defaults, hence my question about the
default.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282108#msg-282108

Maxim Dounin

2018-11-23 18:58:33 UTC

Permalink

Hello!

Post by Olaf van der Spek
What's the recommendation for distros? Should they explicitly enable
TLSv1.3?
Ideally they'd just stick to upstream defaults, hence my question about the
default.

The recommendation for distros is to don't mess with the defaults.

--
Maxim Dounin
http://mdounin.ru/

Olaf van der Spek

2018-11-23 20:39:45 UTC

Permalink

Maxim Dounin Wrote:
-------------------------------------------------------

Post by Maxim Dounin
Hello!

Post by Olaf van der Spek
What's the recommendation for distros? Should they explicitly enable
TLSv1.3?
Ideally they'd just stick to upstream defaults, hence my question

about the

Post by Olaf van der Spek
default.

The recommendation for distros is to don't mess with the defaults.

Should they use the 'defaults' from the stock nginx.conf or the defaults
from the binary / docs? ;)

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282110#msg-282110

Olaf van der Spek

2018-11-28 08:07:25 UTC

Permalink

Olaf van der Spek Wrote:
-------------------------------------------------------

Post by Olaf van der Spek
-------------------------------------------------------

Post by Maxim Dounin
Hello!

Post by Olaf van der Spek
What's the recommendation for distros? Should they explicitly

enable

Post by Maxim Dounin

Post by Olaf van der Spek
TLSv1.3?
Ideally they'd just stick to upstream defaults, hence my question

about the

Post by Olaf van der Spek
default.

The recommendation for distros is to don't mess with the defaults.

Should they use the 'defaults' from the stock nginx.conf or the
defaults from the binary / docs? ;)

Maxim?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282157#msg-282157

Maxim Dounin

2018-11-28 14:19:29 UTC

Permalink

Hello!

Post by Olaf van der Spek
-------------------------------------------------------

Post by Maxim Dounin
Hello!

Post by Olaf van der Spek
What's the recommendation for distros? Should they explicitly

enable

Post by Maxim Dounin

Post by Olaf van der Spek
TLSv1.3?
Ideally they'd just stick to upstream defaults, hence my question

about the

Post by Olaf van der Spek
default.

The recommendation for distros is to don't mess with the defaults.

Should they use the 'defaults' from the stock nginx.conf or the
defaults from the binary / docs? ;)

Maxim?

There is no such thing as "defaults from the stock nginx.conf".
The nginx.conf file can be used to set various configuration
parameters.

Obviously enough, distributions may need to set something in
nginx.conf they ship with nginx packages differently from what is
configured in example configuration as available in nginx sources,
conf/nginx.conf. Though my recommendation would be to keep
configuration shipped as close to conf/nginx.conf as possible, and
don't diverge from it unless there are good reasons to.

As for TLSv1.3, the TLSv1.3 protocol is currently disabled by
default in nginx. Distributions shouldn't try to enable it
(either way) unless there are very good reasons to do so.

--
Maxim Dounin
http://mdounin.ru/

Olaf van der Spek

2018-11-28 19:29:26 UTC

Permalink

Maxim Dounin Wrote:
-------------------------------------------------------

Post by Maxim Dounin
There is no such thing as "defaults from the stock nginx.conf".
The nginx.conf file can be used to set various configuration
parameters.
Obviously enough, distributions may need to set something in
nginx.conf they ship with nginx packages differently from what is
configured in example configuration as available in nginx sources,
conf/nginx.conf. Though my recommendation would be to keep

That's the file I meant.

Post by Maxim Dounin
configuration shipped as close to conf/nginx.conf as possible, and
don't diverge from it unless there are good reasons to.

OK, but that file sets some settings differently from documented defaults,
which is kinda confusing.
Wouldn't it make sense to not do that?

I'd prefer the nginx.conf to be as clean and simple as possible.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282172#msg-282172

Maxim Dounin

2018-11-28 19:38:25 UTC

Permalink

Hello!

Post by Olaf van der Spek
-------------------------------------------------------

That's the file I meant.

Post by Maxim Dounin
configuration shipped as close to conf/nginx.conf as possible, and
don't diverge from it unless there are good reasons to.

OK, but that file sets some settings differently from documented defaults,
which is kinda confusing.
Wouldn't it make sense to not do that?
I'd prefer the nginx.conf to be as clean and simple as possible.

As I already tried to explain in Trac ticket #1681, one of the
important goals of conf/nginx.conf, as well as any other default
configuration file, is to demonstrate how various things can be
tuned. If this is still not clear, I don't think that repeating
this explanation would help. Sorry about that.

--
Maxim Dounin
http://mdounin.ru/

Olaf van der Spek

2018-11-28 20:28:56 UTC

Permalink

Maxim Dounin Wrote:
-------------------------------------------------------

Post by Olaf van der Spek

Post by Olaf van der Spek
OK, but that file sets some settings differently from documented

defaults,

Post by Olaf van der Spek
which is kinda confusing.
Wouldn't it make sense to not do that?
I'd prefer the nginx.conf to be as clean and simple as possible.

As I already tried to explain in Trac ticket #1681, one of the
important goals of conf/nginx.conf, as well as any other default
configuration file, is to demonstrate how various things can be
tuned.

This is mostly done by comments.. though I'd argue a link to a HTML document
would be better to explain things.

Post by Olaf van der Spek
If this is still not clear, I don't think that repeating
this explanation would help. Sorry about that.

Didn't realise that was you..
So should a 'default' install of nginx end up with default_type
application/octet-stream, with default_type text/plain or would both be fine
with you?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282098,282175#msg-282175