Nginx has TLS 1.3 0-RTT support

Question

Nginx has TLS 1.3 0-RTT support

bruxodasilva opened this issue 6 years ago · 9 comments

Nginx on versions 1.15.4+ has full TLS 1.3 support, with 0-RTT:
https://community.letsencrypt.org/t/tls-1-3-in-nginx/75148/4

Answer 1 · 2018-11-29T17:58:47.000Z

Yay! Are you aware of any public announcements or official docs we can point to?

Answer 2 · 2018-12-04T14:23:30.000Z

Sure!
http://nginx.org/en/CHANGES

"Changes with nginx 1.15.3 28 Aug 2018

*) Feature: now TLSv1.3 can be used with BoringSSL.

*) Feature: the "ssl_early_data" directive, currently available with
   BoringSSL."

ssl_early_data refers to https://tools.ietf.org/html/rfc8446#section-2.3

Best

Answer 3 · 2018-12-04T17:51:22.000Z

Yup FYI https://nginx.org/en/CHANGES

Nginx 1.15.4 added OpenSSL 1.1.1 TLS v1.3 0-RTT (early data) support
Nginx 1.15.3 added BoringSSL TLS v1.3 0-RTT (early data) support

I have Nginx working with OpenSSL 1.1.1 or BoringSSL TLS 1.3 0-RTT early data https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/

Official Nginx docs for ssl_early_data directive at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data

Enables or disables TLS 1.3 early data.
Requests sent within early data are subject to replay attacks. To protect against such attacks at the application layer, the $ssl_early_data variable should be used.
proxy_set_header Early-Data $ssl_early_data;

Answer 4 · 2018-12-04T17:59:40.000Z

Nice, thanks for the links! Let's link..

0-RTT entry to: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
1.3 entry to: grr.. there is no way to deep link to release notes for specific release?

Answer 5 · 2018-12-04T18:26:09.000Z

there is no way to deep link to release notes for specific release?

yeah no way on change log page

Answer 6 · 2019-03-16T00:22:25.000Z

Nice, thanks for the links! Let's link..

1.3 entry to: grr.. there is no way to deep link to release notes for specific release?

@igrigorik Why not link to http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols:

The TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.

The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.

Answer 7 · 2019-03-17T17:16:15.000Z

@felixbuenemann +1 to that. Anyone willing to put together a PR to update these?

Answer 8 · 2020-06-26T16:57:08.000Z

Looks like this was added in #186 already (see line 282)

Answer 9 · 2020-06-27T16:16:07.000Z

Good catch, yep. Closing.