Tls 1.3 &

Thats a interesting difference in


Yeah later TLS_AES_128_GCM_SHA256 is TLS 1.3 cipher

This SSL/TLS stuff is a deep subject ! hahaha… Thanks EVA2000.

for OpenSSL 1.1.1 and TLS 1.3 see TLS1.3 - OpenSSLWiki

I wonder why BoringSSL did not negotiate TLS_AES_256_GCM_SHA384 doing via 1.3 ? Well all this is pretty beta at the moment. Im sure in a month or so this will all get more ‘hashed’ out… hehehe…

Probably Cloudflare configured server side cipher preferences - CF seem to prefer AES128 even on HTTPS TLS 1.3

That was a good read in the link you provided above. Im not sure Unbound is ready for DNS over TLS 1.3. I need to research this more. I got some weird compile errors using OpenSSL 1.1.1 and Unbound 1.8.0 I thought were my own mistakes, but, maybe not.

1 Like

Would love to see 1.3 final being part of this week’s announcements.


That would be sweat though really Cloudflare can’t update to TLS 1.3 RFC final until major web browsers like Chrome/Firefox update too as that isn’t scheduled until next month in Chrome 70 and Firefox 63. Otherwise, Cloudflare TLS 1.3 enabled users won’t be able to connect to the current browser versions over TLS 1.3.

Yep… Previous versions and the RFC Final are not compatible. Its a known issue. So a upgrade means you break everyone who is using it currently pre Final. That day will come tho and that will be a bit jarring for everyone using pre Final versions. BUT that comes with playing with RC’s…

I have checked with the Unbound devs and Unbound will compile with OpenSSL 1.1.1… So… Looks like its all up to Cloudflare. DNSSEC and TLS over TLS 1.3 is close at hand.

1 Like

The OpenSSL 1.1.1 beta implements TLS1.3 final which is incompatible with TLS1.3 draft28 that GnuTLS implements. So we’ve disabled the TLS1.3 draft28 for the time being (so at least it works over TLS1.2) while working on implementing the TLS1.3 final support.


what about OpenSSL 1.1.1 final GA release’s TLS 1.3 RFC final ? That as removed TLS 1.3 draft 23/28 and only has TLS 1.3 RFC Final.

Its like a version a week… Brings to mind, what is stable just exactly ?

OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years.

And then they came out with 1.1.2 where they fixed files names to reflect its final version. hehehe…

Thank you for clarifying what LTS was. Clearly CF should support this. Well IMHO, but im just a noob.

1.1.2 hasn’t been released yet. That’s the changelog for the current development branch; 1.1.2 is the current label for a planned future release.

1 Like

FWIW TLS 1.3 in GnuTLS 3.6.4 should be compatible with the OpenSSL 1.1.1+, let me know if that works for you now.


sweet that works now @mvavrusa

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

does mean CF to origin over TLS 1.3 is ready too Cloudflare speak TLS 1.3 0-RTT with Origin Backend? ?