TLS 1.3 is now mature enough to be used in production. Since Cloudflare deployed TLS 1.3 at their edge, and Google added TLS 1.3 to Chrome, it is already being used by around 50% of modern clients.
ChaCha20_Poly1305 is a cipher suite that is very fast on devices without AES-NI (for example cheaper Android phones and tablets). It has been supported in OpenSSL since v1.1.0 and there is also a patch which detects when devices don't have AES-NI and automatically prioritises ChaCha20 regardless of its position in the cipher suite order.
Support for both of these in cPanel would be great.
I like this idea 
This needs to be implemented ASAP. cPanel needs to keep up with change at a faster pace, especially when it's for the good.
As per Apache changelog, mod_ssl already has support for OpenSSL 1.1.1 and TLS 1.3 since v2.4.36: http://www.apache.org/dist/httpd/CHANGES_2.4.37
So who's lagging behind this time? CentOS again?
This needs to be implemented ASAP. cPanel needs to keep up with change at a faster pace, especially when it's for the good.
As per Apache changelog, mod_ssl already has support for OpenSSL 1.1.1 and TLS 1.3 since v2.4.36: http://www.apache.org/dist/httpd/CHANGES_2.4.37
So who's lagging behind this time? CentOS again?
To be honest, while this update is indeed well needed and expected, there isn't a HUGE rush for it, as most servers will have multiple versions of TLS running (which is bad. Below 1.2 is unsafe) because many end clients (EMAIL CLIENTS) simply are not updated fast enough to know what to do with new handshake protocols.
There is a large majority of email clients who can't accept TLS 1.2 (I know, WTF?!) such as older Apple and Microsoft products, amongst others.
So when server's do get TLS 1.3 running, the browser will be fine but email communications may well be broken, so lower versions of TLS will need to be in backup so really, at the end of the day, having TLS 1.3 is not YET critical, but It would be definitely positive to have sooooooooon.
To be honest, while this update is indeed well needed and expected, there isn't a HUGE rush for it, as most servers will have multiple versions of TLS running (which is bad. Below 1.2 is unsafe) because many end clients (EMAIL CLIENTS) simply are not updated fast enough to know what to do with new handshake protocols.
There is a large majority of email clients who can't accept TLS 1.2 (I know, WTF?!) such as older Apple and Microsoft products, amongst others.
So when server's do get TLS 1.3 running, the browser will be fine but email communications may well be broken, so lower versions of TLS will need to be in backup so really, at the end of the day, having TLS 1.3 is not YET critical, but It would be definitely positive to have sooooooooon.
This would be a nice feature to have rolled out but I accept it may take a little longer with proper testing and packages been available from Cloud Linux / CentOS.
This would be a nice feature to have rolled out but I accept it may take a little longer with proper testing and packages been available from Cloud Linux / CentOS.
Hello,
There are news about this feature?
Support for OpenSSL 1.0.2 end 31/12/2019
Cpanel Upgrade OpenSSL 1.1.1, ETA?
Thanks
Hello,
There are news about this feature?
Support for OpenSSL 1.0.2 end 31/12/2019
Cpanel Upgrade OpenSSL 1.1.1, ETA?
Thanks
We would really like this feature as well. Quite a few benefits with TLS 1.3 and with nearly every page these days being SSL, the time to first byte would be much improved due to the handshake changes.
We would really like this feature as well. Quite a few benefits with TLS 1.3 and with nearly every page these days being SSL, the time to first byte would be much improved due to the handshake changes.
Hello,
https://github.com/CpanelInc/ea-openssl11
ZC-4361: Initial commit (changes by `ea4-tool add`)
OpenSSL 1.1.1
Hello,
https://github.com/CpanelInc/ea-openssl11
ZC-4361: Initial commit (changes by `ea4-tool add`)
OpenSSL 1.1.1
I have included this one as a footnote of a request for http 3/0 support as http 3/0 requires the use of TLS 1.3 please see below -
https://features.cpanel.net/topic/http-30
I have included this one as a footnote of a request for http 3/0 support as http 3/0 requires the use of TLS 1.3 please see below -
https://features.cpanel.net/topic/http-30
This server feature, TLS 1.3, is critical for competitive companies and their donors seeking a secure donation mechanism. Thank you. You guys are amazing!
This server feature, TLS 1.3, is critical for competitive companies and their donors seeking a secure donation mechanism. Thank you. You guys are amazing!
Hello,
https://blog.cpanel.com/openssl-1-1-1-and-tlsv1-3-beta-testing-open-call/
:)
Hello,
https://blog.cpanel.com/openssl-1-1-1-and-tlsv1-3-beta-testing-open-call/
:)
OpenSSL v1.1.1 with TLS 1.3 support was added to EasyApache 4 yesterday (https://docs.cpanel.net/ea4/information/easyapache-4-release-notes/).
Thank you, @cPanelTabby!
OpenSSL v1.1.1 with TLS 1.3 support was added to EasyApache 4 yesterday (https://docs.cpanel.net/ea4/information/easyapache-4-release-notes/).
Thank you, @cPanelTabby!
Does anyone know why setting "TLSv1.3 TLSv1.2" as your cipher suite does not enable TLS 1.3, but using "ALL -SSLv3 -TLSv1 -TLSv1.1" works great?
Also, any word on when TLS 1.3 will be enabled by default alongside TLS 1.2? I have to manually override the cPanel default to enable TLS 1.3 at the moment.
Does anyone know why setting "TLSv1.3 TLSv1.2" as your cipher suite does not enable TLS 1.3, but using "ALL -SSLv3 -TLSv1 -TLSv1.1" works great?
Also, any word on when TLS 1.3 will be enabled by default alongside TLS 1.2? I have to manually override the cPanel default to enable TLS 1.3 at the moment.
Replies have been locked on this page!