My Datacenter specs say they've supported both TLS 1.2 and TLS 1.3 since I moved my files there 2 years ago.

Chrome and Firefox both have TLS 1.3 on by default.

So I think this is more of just an official standards announcement. But good news indeed.

"We are merely one voice in the grand cosmic fugue." - Carl Sagan

All that is true, of course, yet the reality is there are "billions and billions" of websites yet to embrace the technology. Time will tell, of course. :)

Websites won't really have to do anything. The HTTPS is in place. As the security certificate key code is automatically updated, so it will upgrade. This is how it upgraded from 1.1.

The ones that do nothing are HTTP....

Er ... what is that site certificate for? Again? Lets Encrypt?

@keyplyr, that cake and eat it too is a tough row to hoe.

Takes two parties for TLS to work. Sender and Receiver.

Yes Tangor. Certs will update and browsers will too. As I said, Chrome and Firefox already have TLS 1.3 on by default.

This is almost seamless. Some old servers may need to be retired if they can't support the newer standards. This is always the case.

Thanks for the news. Always a good thing to learn that security measures are keeping up.

Good news. It's been a while, I was awaiting after the final draft of the TLSv1.3 protocol.

Just as remarks:
- TLSv1.3 is protocol, so TLS certificates are the same.
- Client software are supporting it since some years, but not necessarily the last draft, this is not a problem with Firefox or Chrome, which are updating often, but this can be an issue for Middleware components, so within some networks the protocol will fail, but will automatically switch to TLSv1.2
- For webmasters managing their own dedicated server, or VPS, if you use OpenSSL, it will require to update it, because the actual stable version doesn't handle TLSv1.3, but the dev version does, and is in beta testing. (OpenSSL had announced they wouldn't release a new version until the TLSv1.3 spec would be final).
- TLSv1.3 also removes all weak ciphers, but I guess that nearly no webmasters are using custom ciphers list.

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.

An important milestone!

Anyone know if a particular kernel version is required to support TLS 1.3?

Next thing I am awaiting now, is the QUIC protocol to be made a standard and official.

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

[edited by: robzilla at 11:07 am (utc) on Aug 14, 2018]

- TLSv1.3 is protocol, so TLS certificates are the same.

My bad, I forget about DSA certificates. DSA cert will no longer work with TLS v1.3

Indeed, although it didn't help that much when I tested it with the Caddy web server. Still, a nice-to-have.

I tried Caddy too, when I was searching for a web server software with early QUIC implementation. The problem is that, Caddy is slower than Nginx or H20 at the basis. So I don't think the QUIC implementation in GO is representative of the gain it can produce. I tested quicly, the QUIC implementation for H2O , it works better, but this is not usable in production server at all yet. By the way, Kazuho Oku, is very active and a genius :)

h2o has a nice feature set, but the need to write Ruby to do more complex stuff has put me off. nginx + modules still works well for me, although it would be nice to skip the modules part and have things like brotli be a part of the standard feature set. Some day.

Looks like [github.com] you can now compile nginx with Google's BoringSSL to get TLS 1.3. Will have to try that soon, not sure if that will fly on my CentOS 6 machines.

So I think this is more of just an official standards announcement. But good news indeed.

Not really. So far, servers which were supporting TLSv1.3 were supporting the "working drafts". Here, we talk about the definitive specifications of the protocol, which means there are differences, between the drafts and final specs. They might be minor, but can still impact the dialog between a client and a host.

So for example, a host could have been proposing TLSv1.3 already, a client could have been supporting TLSv1.3 already, but if they were not using the same draft, they would fall back to TLSv1.2.

Same for the QUIC protocol.

Since I use debian on my servers, I rely on OpenSSL , and TLSv1.3 is supported only with OpenSSL 1.1.1 which is not yet in the stable repository of Debian (it breaks other libraries), and I don't want to try to install this kind of important package from sources. So I am waiting.

Chrome now supports the final spec of TLS 1.3. Just tried a custom build of nginx with OpenSSL 1.1.1 and TLS 1.3 seems to be working, pretty sweet :-) Hopefully I can find some time soon to upgrade on production servers. Not expecting big performance gains though.

I don't know in which proportions, but there is also an issue with middle boxes, which are blocking TLS v1.3 traffic because it's an unknown protocol to them. But I have no idea if it closes the connection ,of it falls back to TLS v1.2