Nginx with TLS 1.3

Question

Trying to use TLS 1.3 certificates in Nginx (1.15.8), I found that the official Nginx was built with openssl 1.1.0, where as for TLS 1.3, openssl 1.1.1 is needed.

To solve this, I built my own openssl 1.1.1 from sources and then nginx from sources (using the openssl I just built). It works perfectly. BUT - I was unable to find any official Nginx distribution with this support built in. In Debian or any other Linux.

Has anyone ever tried this and found an official, pre-built solution?

EDIT: My Docker based solution in https://github.com/eldada/nginx-tls13-docker.

Answer 1

UPDATE: With the release of Ubuntu 18.04.3 which includes OpenSSL 1.1.1, TLS 1.3 is now supported on NGINX 1.14 and later.

As of this writing, there are three distributions that have OpenSSL 1.1.1 and NGINX 1.15: Ubuntu 18.10 (which is not an LTS release), FreeBSD 12.0, and Alpine 3.9.

There are plans to move 18.04 (which is an LTS release) to OpenSSL 1.1.1, but there is currently an open bug tracking its inclusion: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386 Unfortunately OpenSSL 1.1.1 did not land in Ubuntu 18.04.2 which has been released.

Answer 2

I found that Nginx build and ship their binary with the same openssl as in the target distribution.

Packages in the nginx repository are compiled with OpenSSL as shipped by default in the particular OS. As such, nginx on Debian 9 is compiled with OpenSSL 1.1.0f.

OpenSSL 1.1.1 is currently available in Ubuntu 18.10, and corresponding nginx package as available from nginx.org are built with OpenSSL 1.1.1.

This is taken from nginx forum answer.