FreeBSD 11 TLS 1.3

bagas

Active Member

Reaction score: 2
Messages: 148

Hello.
When will tls 1.3 appear on FreeBSD 11?
Code:
OpenSSL 1.0.2o-freebsd  27 Mar 2018

Code:
FreeBSD 11.2-RELEASE-p10 amd64

For the time being, I cannot switch to FreeBSD 12.0.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,512
Messages: 34,309

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 148

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set DEFAULT_VERSIONS+= ssl=openssl111 and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).
This is bad news.
 

usdmatt

Daemon

Reaction score: 571
Messages: 1,498

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 148

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.
I use jail, if it is updated to FreeBSD 12.0 then jail will not start.
Already tried to transfer jail from Freebsd 11.2 to 12.0, jail does not start.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,512
Messages: 34,309

Set in /etc/make.conf:
Code:
DEFAULT_VERSIONS+= ssl=openssl111

Then (re)build everything from ports.
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 148

Set in /etc/make.conf:
Code:
DEFAULT_VERSIONS+= ssl=openssl111

Then (re)build everything from ports.
Code:
# pkg version | grep "openssl1"
openssl111-1.1.1c  

Code:
OpenSSL> version
OpenSSL 1.0.2o-freebsd  27 Mar 2018

After installing openssl111 rebuilt all ports dependent on openssl111.
In nginx indicated TLS 1.3.
Google Chrome recognizes TLS 1.2, TLS1.3 does not see.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,512
Messages: 34,309

Note the difference between /usr/bin/openssl (from the base OS) and /usr/local/bin/openssl (from ports/packages).
 
OP
bagas

bagas

Active Member

Reaction score: 2
Messages: 148

After installing openssl111 rebuilt all ports dependent on openssl111.
portupgrade -frR security/openssl111
 

rigoletto@

Daemon
Developer

Reaction score: 1,185
Messages: 2,219

Just installing security/openssl111 will not do the trick, you should set DEFAULT_VERSIONS as pointed by [USER=1677]SirDice[/USER] before rebuilding all ports, and the right OpenSSL version from ports will be installed automatically when you upgrade.
 
Top