OpenSSL TLS 1.3 will release in April.
We have been talking about TLS 1.3 for a while. It the first new version of the TLS protocol in nearly a decade and is going to be a huge leap forward for the industry. It is sort of like releasing a decade’s worth of advances and improvements in cryptography all at once.
The IETF (Internet Engineering Task Force) is in charge of designing the TLS protocol. They have almost finished version 1.3’s protocol specification – which is currently in “Last Call,” meaning that they are soliciting final comments from the community before officially stamping it as complete.
But the TLS 1.3 protocol specifications only tells you how TLS 1.3 should work. It’s essentially a manual that anyone who wants to implement TLS 1.3 needs to follow. Which means that “finishing” the protocol does not get us any closer to actually using it. The code still needs to be written, and existing TLS libraries need to be updated and deployed.
There have been some early adopters of TLS 1.3. Cloudflare is already using the protocol despite it not being officially finalized, and some libraries have already been updated. However, the most widely used TLS library, OpenSSL, has not.
This means that most websites won’t be able to use TLS 1.3 until OpenSSL adds support, regardless of when the IETF finalizes the spec. There had been some speculation that this could take more than 6 months.
But Rich Salz recently shared good news about TLS 1.3 support in OpenSSL. Salz works on the OpenSSL development team and is an employee at Akamai (a major CDN/Cloud-computing provider). Last week he announced that Akamai would be sponsoring the development of TLS 1.3 support for OpenSSL. As an open-source project, OpenSSL relies on donations and sponsorships to support continued development.
In addition, the OpenSSL team has committed to a release date. TLS 1.3 will be added to OpenSSL 1.1.1, which will be released on April 5th, 2017.
When OpenSSL 1.1.1 releases in April, the internet won’t magically flip over to TLS 1.3 overnight. The millions of websites using OpenSSL will first need to update to the new version. For those working with more complicated stacks, major version updates are no small feat.
But the good news is that OpenSSL 1.1.1 will be fully compatible with the current release, 1.1.0. That’s why Salz recommends that you get version 1.1.0 in place now, and when 1.1.1 is released, you can “drop it in” and immediately have TLS 1.3 support.
The industry has been brimming recently over the adoption of TLS 1.3. This announcement from OpenSSL and Akamai is a major step in making that a reality.