Consider enabling Fastly's TLS 1.3 support for dl-cdn.alpinelinux.org
Currently the dl-cdn.alpinelinux.org CDN endpoints support TLS 1.2 but not 1.3. In most cases this doesn't matter because TLS 1.2 hasn't been deprecated yet but I encountered a problem on a network which uses Palo Alto firewalls to do SSL inspection. The Palo Alto implementation has a long-running lack of support for RFC 5746 (I found references going back at least 3 years) which causes session negotiation with newer versions of OpenSSL to fail with a hard error (error:0A000152:SSL routines::unsafe legacy renegotiation disabled
) when a server supports TLS 1.2 but not 1.3.
It is messy but possible to configure OpenSSL to allow the legacy renegotiation but given Alpine's popularity in the container world that can be a lot of images to update. That made me wonder whether the better path might be to enable Fastly's TLS 1.3 support since that's desirable for multiple other reasons as well and has been well tested in the years since it was released.