Welcome! Log In Create A New Profile

Advanced

ppa1~xenial with TLS v1.3 support

Posted by Haim Ari 
Haim Ari
ppa1~xenial with TLS v1.3 support
September 05, 2018 11:40AM
Hello,

Is there a way to add TLS v1.3 without compiling haproxy ? (and still use PPA version for Ubuntu)
I noticed there is "OpenSSL extensions support"

Thank you,



HA-Proxy version 1.8.13-1ppa1~xenial 2018/08/01
Copyright 2000-2018 Willy Tarreau <[email protected]>

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.38 2015-11-23
Running on PCRE version : 8.38 2015-11-23
PCRE library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace







Haim Ari / SysOps Manager

M: 972.584563032 / T: 972.722288367
Lukas Tribus
Re: ppa1~xenial with TLS v1.3 support
September 05, 2018 12:20PM
Hello,


On Wed, 5 Sep 2018 at 11:31, Haim Ari <[email protected]> wrote:
>
> Hello,
>
> Is there a way to add TLS v1.3 without compiling haproxy ? (and still use PPA version for Ubuntu)

No. TLSv1.3 requires OpenSSL 1.1.1, which is still in beta phase, and
even if it becomes stable, it will require some time before openssl
1.1.1 hits the repository. Then haproxy will have to be rebuild on
that; I doubt the PPA will contain a static version of openssl 1.1.1.

Note also that currently *no* browser supports the final TLSv1.3
specification. Chrome supports some older draft (maybe draft-26) and
Firefox supports draft-28, none of it will work with OpenSSL, as they
just removed all draft support (only the final TLS1.3 spec is
supported in OpenSSL as of beta 7).


This is the time to test TLSv1.3, but it's not the time to deploy it
in production unless you have the time to closely follow openssl and
browser development.



cheers,
lukas
Sorry, only registered users may post in this forum.

Click here to login