Hello, welcome to the Wednesday, October 23rd, 2019 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Santa Monica, California.

TLS 1.3 is the most current and already reasonably well-supported version of TLS. It does offer a number of security

in privacy, but also performance improvements over older versions of TLS, in particular TLS 1.2,

which is at this point really the oldest TLS version that you should still support.

But what's still a bit of problem is testing actually if you have TLS 1.3 enabled and if it is

correctly configured with the right set of ciphers. Most notably the NMAP TLS testing script doesn't yet support TLS 1.3, which also may be

a little bit of problem with OpenSSL.

OpenSL only supports TLS 1.3 as a version 1.1.1, which isn't yet sort of common with

some currently still used Linux distributions.

To help you with this Boyan listed in his diary today, two options that you have to check

for TLS version 1.3 support.

The probably simplest way is just to use open SSL's client module directly.

Again, that requires that you have version 1.1.1 installed. The other option you have is the testssel.sh script.

That's coming from GitHub and also has TLS version 1.3 support.

Before you roll out TLS 1.3 in particular on your web service double check that your middle boxes

supported correctly so you don't run to any problems and will actually reap some of the benefit of using

TLS 1.3. And we got an update for Google Chrome. Now this update fixes as usual a number of

security updates but one of the sort of highlights that's not actually a security patch is the

beginning support for DNS over HTTP. Of course, Mozilla with Firefox has been a little bit

a trailplacer here for this protocol. Now, Google is trying to do a little bit more measured approach with DNS over

HTTP. With Firefox, you're sort of being pushed to the use of Cloudflare for your DNS

...