Is it possible to set up TLS 1.3 on various parts of OPNsense now? For example, with HAProxy, OpenVPN maybe even the main GUI.
If so, can you point to what needs setting up. Thanks.
In nginx it is enabled - it was only not supported by the used OpenSSL / LibreSSL version. So, if you use that, it should be there out of the box.
I'm on 20.7 LibreSSL 3.0.2, in openVPN I still get
openvpn[75324]: Options error: unknown tls-version-min parameter: 1.3
QuoteWe have released LibreSSL 3.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This is the first development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8. It includes the following changes:
* Enable TLS 1.3 server side in addition to client by default.
With this change TLS 1.3 is handled entirely on the new stack
and state machine, with fallback to the legacy stack and
state machine for older versions.
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt
A clarification regarding LibreSSL upgrade plans would be appreciated.
LibreSSL 3.0.2 (October 19th, 2019)
https://www.libressl.org/releases.html
...further questions? ;-)
At first there would have to be a HardendBSD release based on 3.2 LibreSSL, then an OPNsense based on this BSD, so best guess: 21.7, maybe?
Whew... so...
If you need TLS 1.3 now use OpenSSL flavour.
If you need TLS 1.3 on LibreSSL:
3.0.x doesn't have it, we currently use this in OPNsense
3.1.x has client support only, released but not yet integrated. ETA is a 20.7.x update not too far away
3.2.x has client/server support, not yet released, so no date for inclusion
Cheers,
Franco
People choosing LibreSSL over openSSL do that for good reason. But these days you pay a high price for this decision (TLS1.3 support...)
:-(
As outlined above: This clearly has only very remotly to do with the OPNsense project...
The slow turnaround of LibreSSL on TLS 1.3 is the main issue here, although to be fair adoption of TLS 1.3 has been slow from the start, partially due to OpenSSL 1.1.1 making a small mess in software projects.
Also...
Nobody:
OpenSSL: We are doing a major API revamp and call it OpenSSL 3.0.
https://www.openssl.org/blog/blog/2020/04/23/OpenSSL3.0Alpha1/
Cheers,
Franco
I can't actually remember the reason I chose the LibreSSL version of OPNsense, I'm sure I looked into it at the time, so is there any reason not to switch back if that's even possible?
If you specifically require TLS 1.3 there is no reason not to use OpenSSL.
Cheers,
Franco
So I simply take a backup, go to Firmware settings and switch?
Set flavour, save, then check for updates and install OpenSSL-based binaries -- done. Running services need to be restarted afterwards to use the new library.
A reboot can take care of any dangling library use if necessary.
Cheers,
Franco
I did some searching and see many messages going back earlier this year that TLS1.3 server is already available for LibreSSL, so should that not mean we have it available as well?
https://undeadly.org/cgi?action=article;sid=20200512074150
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt
I never considered LibreSSL, but now I investigated a bit and I immediatly did the switch, smooth transition.
TLS1.2 is still good anyway, no need to rush for 1.3
Thanks to all OPNsense developers and contributors! Great JOB
Once more, LibreSSL 3.2.x is the current one. 20.7.2 just switched to 3.1.4.
But: 3.2.x is a development version whereas 3.1.4 is a release version as witnessed by their website:
https://www.libressl.org/
The latest stable release is 3.1.4
The latest development release is 3.2.1
3.2 becomes stable once OpenBSD 6.8 is released in 1-2 months. It might take us a few months as well to move to 3.2 so we are looking at January 2021 for server-side TLS 1.3 support.
Cheers,
Franco
Ok, thanks Franco
BTW, giving the smooth nature of the 3.0 -> 3.1 update we might be able to deliver this quicker some time in late November/early December.
Cheers,
Franco
So I finally bit the bullet this week and switched to the OpenSSL build, and low-and-behold I have TLS1.3 available
Just as a FYI, LibreSSL 3.2(.2) is out now but there seem to be a few minor issues reported so we shall wait for another point release before we begin testing, but it is on the wishlist for 21.1.
Cheers,
Franco
Latest stable is now 3.2.3
https://www.libressl.org/
As christmas is around the corner, could we pleeeeeeease have TLS1.3 in LibreSSL soon? :-)
Quote from: franco on September 03, 2020, 10:08:02 AMBTW, giving the smooth nature of the 3.0 -> 3.1 update we might be able to deliver this quicker some time in late November/early December.
Maybe a little late but in time for 21.1-RC in January and perhaps even 20.7.8 if all goes well.
https://github.com/opnsense/ports/commit/1048c09fb
Cheers,
Franco
YEAAAAHH! :-D