New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New OpenSSL APIs for TLSv1.3 ciphersuites Support #4007
Comments
IMO, we need a new config in
|
maybe |
@zizhong It looks TLSv1.3 specific. What will we do when new TLS version like TLSv1.4 or TLSv2 is published? |
Also, the name should be consistent with a config for (EC)DHE groups. ( #3604 ) |
@masaori335 good point. |
Doh. Couldn't we just parse out the TLS v1.3 ciphers? I believe they are all prefixed with TLS13_, right? Presumably, future TLS versions will do the same, e.g. prefix with TLS14_ etc. It seems pretty unfortunate to have to introduce multiple configuration files here. What we likely need though is an option to enable / disable TLS v1.3 support, like we have for previous TLS and SSL versions. |
The prefix is removed. Now TLS v1.3 ciphers suite names are below.
Update: |
We can parse, but mixing old and new ciphersuites looks messy. If we do that,
|
What happens if you give the same argument to both OpenSSL APIs? Meaning, could we just have one option and feed that to both, and let it figure things out? I’m kinda baffled about this, there must be some reason why they separated the two cipher suites. Also, what are the implications for BoringSSL support now? Do they add this new API too? |
I'll check the behavior.
Before the split, when a server has TLSv1.3 enabled but no TLSv1.3 ciphersuites, all handshake immediately fail include TLSv1.2. It looks like they want to avoid that. Also the change of ciphersuite concept looks another motivation. This new API is introduced by this commit.(openssl/openssl@f865b08).
BoringSSL doesn't have this API. They hard coded TLSv1.3 ciphers :)
https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#1379 |
Giving old ciphersuites to the new API returns error. |
OpenSSL has split configuration of TLSv1.3 ciphers from older ciphers since 1.1.1-pre3. ATS needs to use this new API for TLSv1.3 ciphers.
New APIs for TLSv1.3 ciphersuites
Details in https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
Commit of OpenSSL: openssl/openssl@f865b08
The text was updated successfully, but these errors were encountered: