
Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication - vbtechguy
https://community.centminmod.com/threads/16795/
======
tialaramex
Interestingly they've chosen to just not offer 0RTT at all at the back end, at
least for now.

I'm not actually sure if this helps. I guess it means 0RTT mitigation at
Cloudflare concentrates the risk there - they can take full responsibility for
doing a good job and if your clients have nasty RTT (e.g. satellite) you get
most of the benefit with no work. Still, if you're very small 0RTT safety is
easy whereas Cloudflare has to work very hard to even make it somewhat resist
replays because their system is so distributed.

~~~
dward
The policy seems sane.

* They know when they can serve 0RTT from their cache safely because they can be reasonably certain if handling a cached request is side effect free.

* If connections to backend origins are reasonably persistent, there's not much latency reduction benefit from 0RTT compared to connections from consumer user agents.

------
cuu508
I'm running Ubuntu 18.04 LTS. It comes with nginx 1.14.0 (good) and OpenSSL
1.1.0g (too old, need at least 1.1.1 for TLS 1.3 to work).

Apparently there are plans to backport OpenSSL 1.1.1:
[https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/17973...](https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386)

I'd rather not install 3rd party nginx & OpenSSL builds, or compile it myself,
so I'll just wait for the backport and test then.

~~~
hannob
Your comment kinda embodies everything that is complicated about Linux
distribution support.

You use an LTS distribution, yet you want to have bleeding edge features. It
sounds like you simply want two things that are in contradiction to each
other.

~~~
zzzcpan
There is no reason not to provide all the stable branches and
development/bleeding edge branches for packages and let people choose what
they want, except for package management practices still stuck in 20th
century.

~~~
cesarb
It would cause a combinatorial explosion: if you have only 10 packages with
both stable and bleeding edge branches, this is already over a thousand
possible combinations. That makes it harder to support, and the whole point of
an LTS distribution is to have support for a somewhat longer time.

~~~
zzzcpan
But it's all tied to time. So, for example, at any point in time there are
latest stable packages that should only depend on other latest stable
packages, there is no point doing other combinations, hence no combinatorial
explosion. And if it doesn't work with the latest stable dependency, it will
never work with it anyway and has to be linked with previous stable branch of
that dependency, still the only version though and no combinatorial explosion.
No matter how you look at it, time constraints possible combinations to a
small number.

------
mobilemidget
Centmin website can really use a easy to find “what is centmin?” section.

~~~
vbtechguy
it's on the very first sentence on the site (not the forums)
[https://centminmod.com/](https://centminmod.com/) linking to
[https://centminmod.com/lemp.html](https://centminmod.com/lemp.html)

~~~
mobilemidget
that was not the site linked, and took me a lot of clicking to finally see
yes. though having read up quite a bit, not really a big fan.

