Is it possible to enable TLS 1.3 on Discourse? How is the local Nginx configured?

We disabled TLS 1.0 and 1.1 in mid 2018 per this topic.

Do we have TLS 1.3 support at least enabled somewhere @mpalmer?

https://caniuse.com/#feat=tls1-3

image1701×422 42.1 KB

No, I don’t think we’ve turned on TLS 1.3 anywhere yet.

We run NGINX 1.5 at the moment in the containers:

Per:

https://github.com/discourse/discourse_docker/blob/master/templates/web.ssl.template.yml#L21

We only enable TLSv1.2

I am mixed on enabling TLSv1.3 until Information on RFC 8446 » RFC Editor is ratified though.

For the time being simply adding another template after the ssl template with:

- replace:
   hook: ssl
   filename: "/etc/nginx/conf.d/discourse.conf"
   from: ssl_protocols TLSv1.2;
   to: |
     ssl_protocols TLSv1.2 TLSv1.3;

Would do the trick, the question though is if this is a trick you want to do given the protocol is still not ratified (even though it is being implemented)

I gues you allready knew that but only chaning the ssl_protocols wont help because the underlying nginx and openssl version has to support it which is not the case ATM on the docker base image.

We just release a new base image with support for TLS 1.3 .

コンテナ内のnginx設定ファイルを見ると、これらの設定があります。

SSL設定

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # SSLv3を削除、参照: POODLE

BEAST攻撃のため、TLSv1およびTLSv1.1への参照は削除すべきでしょうか？

2つの異なるサイトチェッカーは、TLSv1およびTLSv1.1が有効になっていないと表示しています。どこで無効になっているのかわかりません。

それはここで定義されています