FreeBSD 11 TLS 1.3

[bagas]

Hello.
When will tls 1.3 appear on FreeBSD 11?

OpenSSL 1.0.2o-freebsd  27 Mar 2018

FreeBSD 11.2-RELEASE-p10 amd64

For the time being, I cannot switch to FreeBSD 12.0.

 

[SirDice]

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).

 

[bagas]

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).

This is bad news.

 

[SirDice]

This is bad news.

It depends on where you need TLS 1.3 for.

 

[usdmatt]

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.

 

[bagas]

It depends on where you need TLS 1.3 for.

I need tls1.3 in nginx.

 

[bagas]

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.

I use jail, if it is updated to FreeBSD 12.0 then jail will not start.
Already tried to transfer jail from Freebsd 11.2 to 12.0, jail does not start.

 

[bagas]

This bug
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219524

 

[SirDice]

I need tls1.3 in nginx.

Then set DEFAULT_VERSIONS and build from ports.

 

[bagas]

Then set DEFAULT_VERSIONS and build from ports.

Please explain.

 

[SirDice]

Set in /etc/make.conf:

DEFAULT_VERSIONS+= ssl=openssl111

Then (re)build everything from ports.

 

[bagas]

Set in /etc/make.conf:

DEFAULT_VERSIONS+= ssl=openssl111

Then (re)build everything from ports.

# pkg version | grep "openssl1"
openssl111-1.1.1c

OpenSSL> version
OpenSSL 1.0.2o-freebsd  27 Mar 2018

After installing openssl111 rebuilt all ports dependent on openssl111.
In nginx indicated TLS 1.3.
Google Chrome recognizes TLS 1.2, TLS1.3 does not see.

 

[SirDice]

Note the difference between /usr/bin/openssl (from the base OS) and /usr/local/bin/openssl (from ports/packages).

 

[bagas]

After installing openssl111 rebuilt all ports dependent on openssl111.
portupgrade -frR security/openssl111

 

[rigoletto@]

Just installing security/openssl111 will not do the trick, you should set DEFAULT_VERSIONS as pointed by SirDice before rebuilding all ports, and the right OpenSSL version from ports will be installed automatically when you upgrade.

 

[bagas]

Thanks!

 

[alfa]

Here is complete guide to enable tlsv1.3 support on FreeBSD 11.x nginx

FreeBSD Nginx enable Tlsv1.3 support – ucanbsd.com

 

[SirDice]

FreeBSD 11 is now End-of-life and should not be used anymore.

Unsupported FreeBSD Releases

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.

www.freebsd.org