Missing Support for OpenSSL 1.1.1 and TLS v1.3 #1256
Labels
Comments
|
Accepting patches :-) |
rdratlos
pushed a commit
to rdratlos/cherokee-webserver
that referenced
this issue
Apr 3, 2021
OpenSSL 1.1.1 was released on 11 September 2018. This is the latest LTS (Long Term Support) release, supported until September 2023. The headline new feature of OpenSSL 1.1.1 is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. Main changes to be considered by Cherokee webserver: - Fully compliant implementation of TLSv1.3 (RFC8446) on by default - Support for all five new RFC8446 ciphersuites (TLS v1.3) - Full support of minimum and maximum available TLS protocol version configuration Recently OS distribution maintainers have started to improve OpenSSL security by hardcoded configuration of the min. available TLS protocol version for clients that want to connect to a server using TLS encryption. Cherokee command-line option cherokee -i now reports this hardcoded setting to users. Fixes: cherokee#1256 Signed-off-by: Thomas Reim <reimth@gmail.com>
rdratlos
pushed a commit
to rdratlos/cherokee-webserver
that referenced
this issue
Apr 3, 2021
The Advanced page has been restructured and is now displayed in two flavours:
1.) OpenSSL version 1.1.1 and later
Configuration of SSL/TLS protocols is now focused on setting minimum and
maximum available protocol versions. Since OpenSSL 1.1.1 disabling of
selected has been deprecated. This section plus a warning has been moved to
the page's bottom.
2.) OpenSSL version 1.1.0 and below
System administrator still have to disable selected SSL/TLS protocol
versions that Cherokee webserver should not offer to its clients.
TLS v1.3 has been added to the page.
On the Virtual Server page Ciphersuites have been added and the hint where to
find suited and safe cipher sets has been adapted to recommend Mozilla
Intermediate compatibility ciphers for OpenSSL 1.1.1 and later. Mozilla
Old compatibility ciphers are recommended of using OpenSSL version 1.1.0 and
below as TLS back-end.
Fixes: cherokee#1256
Signed-off-by: Thomas Reim <reimth@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OpenSSL 1.1.1 was released on 11 September 2018. This is the latest LTS (Long Term Support) release, supported until September 2023. The headline new feature of OpenSSL 1.1.1 is TLSv1.3. This new version of the Transport Layer Security
(formerly known as SSL) protocol was published by the IETF as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. Main changes are not considered by Cherokee webserver:
Recently OS distribution maintainers have started to improve OpenSSL security by hardcoded configuration of the min. available TLS protocol version for clients that want to connect to a server using TLS encryption.
The text was updated successfully, but these errors were encountered: