Preparing for enabling TLS 1.3.

CentOS 7 (RHEL 7) does not come with an out-of-box nginx that supports TLS 1.3. To be fair, this is not a fault of nginx. The reason is that openssl in CentOS 7 is too old (1.0.x) to support TLS 1.3, and nginx dynamically linked to it.

Meanwhile, there’s no official repo which provides openssl 1.1.1 or a statically-linked nginx with TLS 1.3 support.

It’s quite possible for me to compile nginx 1.3 w/ openssl 1.1.1 by hand. But that can be too annoying as the same procedures will need to be repeated over and again, each time nginx or openssl releases a new version.

It seems that Debian provides a newer nginx / openssl, presumably with TLS 1.3 support, albeit in their testing repo. But that’s still quite acceptable for me.. I’m going to check it later.

Indeed Ubuntu also provides newer (even newer than Debian, often) version of software but after searching through the web it seems they’re not as suitable for server use as Debian..

As a side effect, chacha20 & camellia is supported now.

Migrating data is annoying, though.