== Summary == This change enables TLS 1.3 (draft28) support on the gnutls crypto library. == Owner == * Name: Nikos Mavrogiannopoulos == Detailed Description == This change will enable the TLS 1.3 protocol (draft28) on the gnutls library. TLS 1.3 is the latest version of the TLS protocol which addresses few shortcomings of the previous versions. The protocol has already been approved by IETF and is on its final publication stage, with only minor editorial changes expected. The change for gnutls depending is transparent to existing applications. More information for applications using gnutls: * https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html == Benefit to Fedora == * This brings the latest TLS protocol support to applications depending on gnutls, when crypto policies are updated for TLS1.3. == Scope == * Proposal owners: * Other developers: N/A (not a System Wide Change) == Upgrade/compatibility impact == That change should have no impact on upgrade or compatibility. The TLS 1.3 protocol is designed in a way that does not cause incompatibility issues with existing (and even broken) implementations. == How To Test == * Existing work-flows which include secure communications should be tested * Command line applications which use TLS (e.g., wget, lftp), should be tested against web-sites using TLS 1.3 (e.g., www.google.com) == User Experience == That change should not be noticeable by users except for applications which report the connected protocol. Other things users will notice - Latency on TLS sessions will be reduced - Performance of establishment of TLS sessions will be improved due to ed25519/x25519 support - Privacy of TLS sessions will be improved from the perspective of passive eavesdroppers; no client certificate will be sent in the clear - Transparent rekey of long-running sessions == Dependencies == GNOME, samba, rsyslog, wget, lftp, ... == Contingency Plan == If the expected transparent addition of TLS 1.3 cannot be assured (e.g., important issues are reported), the enablement of TLS1.3 protocol will be postponed for the next fedora release. * Contingency mechanism: The gnutls maintainer will not enable TLS1.3 by default in the build * Contingency deadline: Fedora 29 beta * Blocks release? No; the contingency plan is sufficient and can avoid a release block == Documentation == * https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html * https://www.gnutls.org/manual/gnutls.html#Upgrading-from-previous-versions -- Ben Cotton Fedora Program Manager TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/4CK56YE3LZ2XESIIIZ6TWPQD32F2QWCH/
