I am not conservative and can relate to the need/call for new brand standards like TLS 1.3. I would also like to support TLS 1.3 in the docker image. But we need to consider compatibility and security and stability as well.
Currently the Docker image is a 100% drop in replacement for the original Nginx image. Making it a low bar to add PageSpeed features to existing docker deployments is good for the adoption. Only the docker image needs to be changed and no additional compatability test needs to be done. The compatibility is not 100% anymore when we change the SSL library. LibreSSL started as a fork of OpenSSL and conserative OpenBSD maintainers deprecated a lot of code, making LibreSSL a more lean and conservative choice. Lean and conservative in a crypto libary are a good thing when it comes to security. When looking CVE list of the last few years, LibreSSL proved to be the best choice when it comes to security. This is why Alpine chose LibreSSL as their default TLS library and probably why the Nginx docker image (guessing here) didn't switch yet. TLS 1.3 is a young standard and most server side packages supporting it are in testing fase at best. LibreSSL doesn't seem to be actively working on TLS 1.3 support. (see https://github.com/libressl-portable/portable/issues/228) Not having the feature in trunk is not so strange giving the nature or LibreSSL but is still a bit worrisome for me Based on compatibility and security and stability I don't like the idea of changing libraries for the current image. However, I think its worth considering adding an extra docker image flavor (tag) for those you need TLS 1.3 with BoringSSL. Although OpenSSL has an Alpine package, the amount of CVE is holding me back to even consider making this based on OpenSSL, but compiling BoringSSL seems a good compromise. Best Regards, Nico Berlee Vitalii Tverdokhlib schreef op do 11-10-2018 om 10:50 [+0300]: > Nginx has support TLS 1.3 early data with OpenSSL 1.1.1 and > BoringSSL > started from 1.15.3/4 - http://nginx.org/en/CHANGES > > current pagespeed alpine image use libressl > > What next direction? > > > - wait LibreSSL > - switch to OpenSSL ( > > https://pkgs.alpinelinux.org/packages?name=openssl1.1&branch=edge&repo=testing&arch=x86_64 > ) > - build with BoringSSL?
