[Solved]Is TLS 1.3 possible now?

Started by Taomyn, August 09, 2020, 07:31:27 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 09, 2020, 07:31:27 AM Last Edit: September 26, 2020, 12:58:01 PM by Taomyn
Is it possible to set up TLS 1.3 on various parts of OPNsense now? For example, with HAProxy, OpenVPN maybe even the main GUI.


If so, can you point to what needs setting up. Thanks.
August 09, 2020, 08:31:08 AM #1
In nginx it is enabled - it was only not supported by the used OpenSSL / LibreSSL version. So, if you use that, it should be there out of the box.
August 09, 2020, 08:52:48 AM #2
I'm on 20.7 LibreSSL 3.0.2, in openVPN I still get

Code Select
openvpn[75324]: Options error: unknown tls-version-min parameter: 1.3
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 10, 2020, 03:59:33 AM #3
QuoteWe have released LibreSSL 3.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8.  It includes the following changes:

    * Enable TLS 1.3 server side in addition to client by default.
      With this change TLS 1.3 is handled entirely on the new stack
      and state machine, with fallback to the legacy stack and
      state machine for older versions.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt

A clarification regarding LibreSSL upgrade plans would be appreciated.
August 10, 2020, 09:17:40 AM #4 Last Edit: August 10, 2020, 09:19:53 AM by chemlud
Code Select
LibreSSL 3.0.2 (October 19th, 2019)

https://www.libressl.org/releases.html


...further questions? ;-)

At first there would have to be a HardendBSD release based on 3.2 LibreSSL, then an OPNsense based on this BSD, so best guess: 21.7, maybe?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 10, 2020, 10:03:27 AM #5
Whew... so...

If you need TLS 1.3 now use OpenSSL flavour.

If you need TLS 1.3 on LibreSSL:

3.0.x doesn't have it, we currently use this in OPNsense

3.1.x has client support only, released but not yet integrated. ETA is a 20.7.x update not too far away

3.2.x has client/server support, not yet released, so no date for inclusion


Cheers,
Franco
August 10, 2020, 10:58:47 AM #6
People choosing LibreSSL over openSSL do that for good reason. But these days you pay a high price for this decision (TLS1.3 support...)

:-(

As outlined above: This clearly has only very remotly to do with the OPNsense project...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 10, 2020, 11:04:55 AM #7
The slow turnaround of LibreSSL on TLS 1.3 is the main issue here, although to be fair adoption of TLS 1.3 has been slow from the start, partially due to OpenSSL 1.1.1 making a small mess in software projects.

Also...

Nobody:
OpenSSL: We are doing a major API revamp and call it OpenSSL 3.0.

https://www.openssl.org/blog/blog/2020/04/23/OpenSSL3.0Alpha1/


Cheers,
Franco
August 10, 2020, 01:36:07 PM #8
I can't actually remember the reason I chose the LibreSSL version of OPNsense, I'm sure I looked into it at the time, so is there any reason not to switch back if that's even possible?
August 10, 2020, 01:44:37 PM #9
If you specifically require TLS 1.3 there is no reason not to use OpenSSL.


Cheers,
Franco
August 10, 2020, 02:03:20 PM #10
So I simply take a backup, go to Firmware settings and switch?



August 10, 2020, 02:45:35 PM #11
Set flavour, save, then check for updates and install OpenSSL-based binaries -- done. Running services need to be restarted afterwards to use the new library.

A reboot can take care of any dangling library use if necessary.


Cheers,
Franco
September 03, 2020, 07:59:42 AM #12
I did some searching and see many messages going back earlier this year that TLS1.3 server is already available for LibreSSL, so should that not mean we have it available as well?


https://undeadly.org/cgi?action=article;sid=20200512074150


https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt
September 03, 2020, 09:09:02 AM #13
I never considered LibreSSL, but now I investigated a bit and I immediatly did the switch, smooth transition.

TLS1.2 is still good anyway, no need to rush for 1.3

Thanks to all OPNsense developers and contributors! Great JOB
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
September 03, 2020, 09:14:46 AM #14
Once more, LibreSSL 3.2.x is the current one. 20.7.2 just switched to 3.1.4.

But: 3.2.x is a development version whereas 3.1.4 is a release version as witnessed by their website:

https://www.libressl.org/

The latest stable release is 3.1.4
The latest development release is 3.2.1

3.2 becomes stable once OpenBSD 6.8 is released in 1-2 months. It might take us a few months as well to move to 3.2 so we are looking at January 2021 for server-side TLS 1.3 support.


Cheers,
Franco
Print
Go Up Pages1 2
User actions