Mailcow-dockerized: TLS v1.3 when?

Created on 12 Aug 2018 · 16Comments · Source: mailcow/mailcow-dockerized

Since TLSv1.3 has a RFC doc now, is there already an ETA to include it along with 1.2 in NGINX?

enhancement

Source

MAGICCC

Most helpful comment

https://bugs.alpinelinux.org/versions/127

It is in edge branch. We need v3.9 with openssl 1.1.1(a) to support TLSv1.3.

Sadly Nginx does not use the edge branch in a testing/edge build

Knight1 on 16 Dec 2018

👍2

All 16 comments

Following the release of OpenSSL 1.1.1 stable, it will become widely available. As of now, we have to wait or compile an own instance of NginX using openssl-1.1.1-pre.

phenomax on 12 Aug 2018

👍1

Yes, we need to wait for OpenSSL 1.1.1 to be available in Alpine (since we use Nginx mainline on Alpine).

andryyy on 13 Aug 2018

👍1

Sounds great! Will TLS 1.3 be a "web only" thing, or are the messages itself also TLS 1.3 encrypted?

https://github.com/openssl/openssl/milestone/9

ghost on 18 Aug 2018

Just a quick info.
OpenSSL 1.1.1 is out now. We have to wait until Alpine will release its build and then we have to wait for the Dockerteam to build a new NGinx version with it.
Until then we can read https://wiki.openssl.org/index.php/TLS1.3

MAGICCC on 11 Sep 2018

👍2

yay https://pkgs.alpinelinux.org/package/edge/testing/x86_64/openssl1.1-dev
Now we have to wait for the latest push for nginx:mainline-alpine

MAGICCC on 28 Sep 2018

👍2

Cool!

andryyy on 28 Sep 2018

This really is going faster than I expected. 😍

Offtopic
~@MAGICCC I know its a bit off topic but do you know when apache2 is planning to release TLS 1.3 support? I cant find any "good" information about it.~
~Update: They just released it. https://github.com/apache/httpd/blob/2.4.36/CHANGES~

obendev on 28 Sep 2018

I know how to build it. We build many containers but i guess it is not worth the effort?

Knight1 on 15 Oct 2018

It is not that we don't know how to build it.

andryyy on 15 Oct 2018

That is not what i meant :o

The problem is that OpenSSL and NGINX needs some time to compile. And Chrome and Firefox does not support it in stable only beta at this time. So do we want it or not?

Knight1 on 15 Oct 2018

No, I don't want an non-official image for this, that's what I meant.

andryyy on 15 Oct 2018

We need to wait for Alpine 3.9. I am sure the Alpine team will put OpenSSL 1.1.1 in the 3.9 release

MAGICCC on 16 Oct 2018

👍2

This. Since openssl 1.1.1 is LTS it does not make sense to compile it against any prerelease version.

& TLS 1.3 will be stable in Chrome 70. Version 69 is the last version with draft.

obendev on 16 Oct 2018

Where can I find information about the status of nginx:mainline-alpine?
https://github.com/nginxinc/docker-nginx/tree/master/mainline/alpine?

obendev on 15 Dec 2018

https://bugs.alpinelinux.org/versions/127