Most Of The World Will Have Access To TLS 1.3 On April 5th
1 Star2 Stars3 Stars4 Stars5 Stars (17 votes, average: 1.47 out of 5)
Loading...

Most Of The World Will Have Access To TLS 1.3 On April 5th

OpenSSL TLS 1.3 will release in April.

We have been talking about TLS 1.3 for a while. It the first new version of the TLS protocol in nearly a decade and is going to be a huge leap forward for the industry. It is sort of like releasing a decade’s worth of advances and improvements in cryptography all at once.

The IETF (Internet Engineering Task Force) is in charge of designing the TLS protocol. They have almost finished version 1.3’s protocol specification – which is currently in “Last Call,” meaning that they are soliciting final comments from the community before officially stamping it as complete.

But the TLS 1.3 protocol specifications only tells you how TLS 1.3 should work. It’s essentially a manual that anyone who wants to implement TLS 1.3 needs to follow. Which means that “finishing” the protocol does not get us any closer to actually using it. The code still needs to be written, and existing TLS libraries need to be updated and deployed.

There have been some early adopters of TLS 1.3. Cloudflare is already using the protocol despite it not being officially finalized, and some libraries have already been updated. However, the most widely used TLS library, OpenSSL, has not.

This means that most websites won’t be able to use TLS 1.3 until OpenSSL adds support, regardless of when the IETF finalizes the spec. There had been some speculation that this could take more than 6 months.

But Rich Salz recently shared good news about TLS 1.3 support in OpenSSL. Salz works on the OpenSSL development team and is an employee at Akamai (a major CDN/Cloud-computing provider). Last week he announced that Akamai would be sponsoring the development of TLS 1.3 support for OpenSSL. As an open-source project, OpenSSL relies on donations and sponsorships to support continued development.

In addition, the OpenSSL team has committed to a release date. TLS 1.3 will be added to OpenSSL 1.1.1, which will be released on April 5th, 2017.

When OpenSSL 1.1.1 releases in April, the internet won’t magically flip over to TLS 1.3 overnight. The millions of websites using OpenSSL will first need to update to the new version. For those working with more complicated stacks, major version updates are no small feat.

But the good news is that OpenSSL 1.1.1 will be fully compatible with the current release, 1.1.0. That’s why Salz recommends that you get version 1.1.0 in place now, and when 1.1.1 is released, you can “drop it in” and immediately have TLS 1.3 support.

The industry has been brimming recently over the adoption of TLS 1.3. This announcement from OpenSSL and Akamai is a major step in making that a reality.

2 comments
  • Has anyone actually seen the release yet? I’ve refreshed their blog / downloads pages about 1000 times, seems to be no change yet, nor is there any kind of announcement that release has been moved back to X date?

    • You are right, there has been no release with TLS 1.3 support.

      It looks like the Akamai blog we were sourcing from was *very* poorly worded. Rich Salz, the author of that post and the maintainer of OpenSSL has just recently posted that he didn’t mean the new version would be released on April 5th, just that it would be “available.” This is very bad communication in our opinion.

      If you do wan’t to get a version of OpenSSL with TLS 1.3 support, you would need to build your own from the master branch here: https://github.com/openssl/openssl

      https://twitter.com/rlove/status/850027970584608772

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *