# FreeBSD 11 TLS 1.3



## bagas (May 31, 2019)

Hello.
When will tls 1.3 appear on FreeBSD 11?

```
OpenSSL 1.0.2o-freebsd  27 Mar 2018
```


```
FreeBSD 11.2-RELEASE-p10 amd64
```
For the time being, I cannot switch to FreeBSD 12.0.


----------



## SirDice (May 31, 2019)

It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.

If you need OpenSSL 1.1.1 you can set `DEFAULT_VERSIONS+= ssl=openssl111` and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).


----------



## bagas (May 31, 2019)

SirDice said:


> It's not going to be included in 11.3. TLS 1.3 was added to OpenSSL 1.1.1. FreeBSD 11.3 will have OpenSSL 1.0.2s.
> 
> If you need OpenSSL 1.1.1 you can set `DEFAULT_VERSIONS+= ssl=openssl111` and build everything from ports. Note that this will only work for ports, it does nothing to change the OpenSSL from the base (or change any of the base SSL dependencies).


This is bad news.


----------



## SirDice (May 31, 2019)

bagas said:


> This is bad news.


It depends on where you need TLS 1.3 for.


----------



## usdmatt (May 31, 2019)

Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.


----------



## bagas (May 31, 2019)

SirDice said:


> It depends on where you need TLS 1.3 for.


I need tls1.3 in nginx.


----------



## bagas (May 31, 2019)

usdmatt said:


> Being devil's advocate as always, what's the requirement for 1.3? Even governments still accept 1.2 as a baseline. Seems strange to be in a situation where you can't upgrade to 12 (which isn't exactly a major change from 11), but need the bleeding edge of TLS support.


I use jail, if it is updated to FreeBSD 12.0 then jail will not start.
Already tried to transfer jail from Freebsd 11.2 to 12.0, jail does not start.


----------



## bagas (May 31, 2019)

This bug
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219524


----------



## SirDice (May 31, 2019)

bagas said:


> I need tls1.3 in nginx.


Then set `DEFAULT_VERSIONS` and build from ports.


----------



## bagas (May 31, 2019)

SirDice said:


> Then set `DEFAULT_VERSIONS` and build from ports.


Please explain.


----------



## SirDice (May 31, 2019)

Set in /etc/make.conf:

```
DEFAULT_VERSIONS+= ssl=openssl111
```
Then (re)build everything from ports.


----------



## bagas (May 31, 2019)

SirDice said:


> Set in /etc/make.conf:
> 
> ```
> DEFAULT_VERSIONS+= ssl=openssl111
> ...




```
# pkg version | grep "openssl1"
openssl111-1.1.1c
```


```
OpenSSL> version
OpenSSL 1.0.2o-freebsd  27 Mar 2018
```
After installing openssl111 rebuilt all ports dependent on openssl111.
In nginx indicated TLS 1.3.
Google Chrome recognizes TLS 1.2, TLS1.3 does not see.


----------



## SirDice (May 31, 2019)

Note the difference between /usr/bin/openssl (from the base OS) and /usr/local/bin/openssl (from ports/packages).


----------



## bagas (May 31, 2019)

After installing openssl111 rebuilt all ports dependent on openssl111.
portupgrade -frR security/openssl111


----------



## rigoletto@ (Jun 1, 2019)

Just installing security/openssl111 will not do the trick, you should set DEFAULT_VERSIONS as pointed by SirDice before rebuilding all ports, and the right OpenSSL version from ports will be installed automatically when you upgrade.


----------



## bagas (Jun 1, 2019)

Thanks!


----------



## alfa (Dec 3, 2022)

Here is complete guide to enable tlsv1.3 support  on FreeBSD 11.x nginx



			FreeBSD Nginx enable Tlsv1.3 support – ucanbsd.com


----------



## SirDice (Dec 5, 2022)

FreeBSD 11 is now End-of-life and should not be used anymore.









						Unsupported FreeBSD Releases
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org


----------

