FreeBSD 11 TLS 1.3

bagas

Active Member

Reaction score: 2
Messages: 126

Hello.
When will tls 1.3 appear on FreeBSD 11?
Code:
OpenSSL 1.0.2o-freebsd  27 Mar 2018
Code:
FreeBSD 11.2-RELEASE-p10 amd64
For the time being, I cannot switch to FreeBSD 12.0.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,932
Messages: 33,331

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 126

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).
This is bad news.
 

usdmatt

Daemon

Reaction score: 544
Messages: 1,459

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 126

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.
I use jail, if it is updated to FreeBSD 12.0 then jail will not start.
Already tried to transfer jail from Freebsd 11.2 to 12.0, jail does not start.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,932
Messages: 33,331

Set in /etc/make.conf:
Code:
DEFAULT_VERSIONS+= ssl=openssl111
Then (re)build everything from ports.
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 126

Set in /etc/make.conf:
Code:
DEFAULT_VERSIONS+= ssl=openssl111
Then (re)build everything from ports.
Code:
# pkg version | grep "openssl1"
openssl111-1.1.1c
Code:
OpenSSL> version
OpenSSL 1.0.2o-freebsd  27 Mar 2018
After installing openssl111 rebuilt all ports dependent on openssl111.
In nginx indicated TLS 1.3.
Google Chrome recognizes TLS 1.2, TLS1.3 does not see.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,932
Messages: 33,331

Note the difference between /usr/bin/openssl (from the base OS) and /usr/local/bin/openssl (from ports/packages).
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 126

After installing openssl111 rebuilt all ports dependent on openssl111.
portupgrade -frR security/openssl111
 

rigoletto@

Daemon
Developer

Reaction score: 1,109
Messages: 2,176

Just installing security/openssl111 will not do the trick, you should set DEFAULT_VERSIONS as pointed by SirDice before rebuilding all ports, and the right OpenSSL version from ports will be installed automatically when you upgrade.
 
Top