TLS 1.3 is Final

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
Heo32
Registered User
Posts: 207
Joined: Sat Jan 07, 2017 10:08 pm

TLS 1.3 is Final

Post by Heo32 »

TLS 1.3 has been finalized. This is a big deal for the Internet. It is the fastest and most secure TLS to date. TLS 1.3 disables old, obsolete and insecure ciphers that still remain enabled in configuration files.

https://www.techrepublic.com/article/tl ... net-safer/
Financial industry security professionals requested the inclusion of a backdoor in TLS 1.3 that would allow them to continue to monitor TLS traffic, but that was rejected in the final version that was approved, with IETF members saying a backdoor would eliminate the advantages that TLS 1.3 would provide.
August 15, 2018 update:
https://kinsta.com/blog/tls-1-3/

Here is the list of TLSv1.3 cyphers that may be used for anyone interested (there may be more):

Code: Select all

TLS13-AES-128-GCM-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256
Are there any components of phpBB that should get updated to support TLS 1.3? I know there was the Extension version check is restricted to TLS 1.0, however, it has only recently been upgraded to support up to version 1.2 and not 1.3. Can that change so that 1.3 is supported? Should it be changed?
stevemaury wrote: Sun May 20, 2018 8:16 pm I went to your board and looked for an hour or so, but did not see the women without underwear.
Allow using Content-Security-Policy without unsafe-inline • Content-Security-Policy
User avatar
AmigoJack
Registered User
Posts: 6106
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: TLS 1.3 is Final

Post by AmigoJack »

Yet not even PHP supports 1.3.
Heo32
Registered User
Posts: 207
Joined: Sat Jan 07, 2017 10:08 pm

Re: TLS 1.3 is Final

Post by Heo32 »

You're right. Thanks for pointing that out. Adoption takes time. :)

https://luxsci.com/blog/ssl-versus-tls- ... rence.html
What about TLS v1.3?

TLS v1.3 is the latest and greatest version of TLS. It became an Internet standard on March 25th, 2018. According to NIST, organizations should make plans to support TLS v1.3 by January 1st, 2020 or sooner.
That doesn't mean it can't be added right now. Enabling TLSv1.2 with TLSv1.3 works great using ciphers that are compatible for just those two standards. I have nothing but "A+" analysis reviews on both https://securityheaders.com/ and https://www.ssllabs.com/ssltest/ for my site. It is also fully compatible with almost everything out there, with the exception being "Chrome 49 / XP SP3". For now though, using TLS 1.2 is still absolutely necessary until PHP adopts TLS 1.3. Running TLS 1.3 by itself without TLS 1.2 doesn't work at the moment.

I'm using this on my website (nginx.org setup) with no issues:

Code: Select all

		ssl_session_cache			shared:SSL:10m;
		ssl_session_timeout			30m;
		ssl_session_tickets			off;

		ssl_protocols				TLSv1.2	TLSv1.3;
		ssl_ciphers				TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+SHA384:EECDH+AES+SHA256;
		ssl_prefer_server_ciphers		on;
To break it down:

TLSv1.3
TLS13-AES-128-GCM-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256

TLSv1.2
EECDH+CHACHA20
EECDH+AESGCM
EECDH+AES+SHA384
EECDH+AES+SHA256

Source:
https://www.unrealircd.org/docs/SSL_Cip ... _protocols
Post Reply

Return to “General Discussion”