New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS 1.3 specific cipher list (OpenSSL) #2435

Closed
zzq1015 opened this Issue Mar 28, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@zzq1015

zzq1015 commented Mar 28, 2018

https://github.com/openssl/openssl/blob/8eb399fb25a6ef68b2a9e8d34b242b9767c46abe/CHANGES#L20
Because of this change, we can no longer specify TLS 1.3 ciphers using the --ciphers switch.
In the latest build of OpenSSL, we can only use the -ciphersuites to change TLS 1.3 cipher orders, like this:

openssl ciphers -V -ciphersuites "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384" "DEFAULT"

I suggest adding a --tls13-ciphers switch to specify TLS1.3-only ciphers.

@bagder bagder added the SSL/TLS label Mar 28, 2018

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Mar 28, 2018

Member

Yes, it seems like we need to follow along here. The question is perhaps if we also should go with --ciphersuites instead of explicitly spelling out 1.3 in the name. Who knows, maybe a future TLS 1.4 can also use it?

Member

bagder commented Mar 28, 2018

Yes, it seems like we need to follow along here. The question is perhaps if we also should go with --ciphersuites instead of explicitly spelling out 1.3 in the name. Who knows, maybe a future TLS 1.4 can also use it?

@zzq1015

This comment has been minimized.

Show comment
Hide comment
@zzq1015

zzq1015 Apr 3, 2018

No. We already have --ciphers switch. The new --ciphersuites will cause confusion for the users.
Spelling TLS 1.3 is kind of necessary and makes sense when TLS 1.4/2.0/whatever comes out. It simply means the cipher suites are for TLS 1.3 and above.

zzq1015 commented Apr 3, 2018

No. We already have --ciphers switch. The new --ciphersuites will cause confusion for the users.
Spelling TLS 1.3 is kind of necessary and makes sense when TLS 1.4/2.0/whatever comes out. It simply means the cipher suites are for TLS 1.3 and above.

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Apr 16, 2018

Member

You up to writing a PR for this?

Member

bagder commented Apr 16, 2018

You up to writing a PR for this?

bagder added a commit that referenced this issue May 24, 2018

setopt: add TLS 1.3 ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github

bagder added a commit that referenced this issue May 29, 2018

setopt: add TLS 1.3 ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github

@bagder bagder closed this in 050c93c May 29, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Aug 27, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.