Hello community,
### OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows: TLS13-AES-256-GCM-SHA384 TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-128-GCM-SHA256 TLS13-AES-128-CCM-8-SHA256 TLS13-AES-128-CCM-SHA256 via: https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ ### These ciphersuites' `normal name` are as follows (with underline style and without `13`): ``` bash-4.4# pwd /usr/local/openresty/openssl bash-4.4# bin/openssl OpenSSL> ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:.... ``` ### To enable those ciphersuites in openresty/apisix, we need to modify this (not in config.yaml && nginx.conf): ``` bash-4.4# cat /usr/local/openresty/openssl/ssl/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] # bash-4.4# bin/openssl # OpenSSL> ciphers Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 Options = ServerPreference ``` ### Test your sites by: https://www.ssllabs.com/ssltest/ (the right response will include: ) ``` Cipher Suites # TLS 1.3 (suites in server-preferred order) TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256 TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128 TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256 TLS_AES_128_CCM_8_SHA256 (0x1305) ECDH x25519 (eq. 3072 bits RSA) FS 128 TLS_AES_128_CCM_SHA256 (0x1304) ECDH x25519 (eq. 3072 bits RSA) FS ``` ### Tips: [How to] Openresty/Apisix build with TLS 1.3: https://github.com/apache/incubator-apisix-docker/blob/master/alpine/Dockerfile
