TLS1.3 ciphersuites configuration way Support

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS1.3 ciphersuites configuration way Support

Zhang Chao
Hello!

It seems that OpenSSL has changed the way TLSv1.3 cipher suites are configured. 
According to the document https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead,
SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use SSL_CTX_set_cipher_list
to configure the SSL/TLS ciphers, which leads to the default cipher suits are used all the time.

Is there any support plan for this?

Best Regards
Alex Zhang

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 ciphersuites configuration way Support

A. Schulze


Am 28.09.18 um 10:56 schrieb Alex Zhang:
> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are configured. 
> According to the document https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead,
> SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use SSL_CTX_set_cipher_list
> to configure the SSL/TLS ciphers, which leads to the default cipher suits are used all the time.

Hello,

as far as I understand TLS1.3, there was a major redesign regarding cipher suites.
It's no longer possible to combine key exchange, hash and cipher in so many ways.
There are only 5 fixed cipher suites available (1) so the need to change them is significant lower.

Andreas


(1) https://tools.ietf.org/html/rfc8446#appendix-B.4
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 ciphersuites configuration way Support

Maxim Dounin
In reply to this post by Zhang Chao
Hello!

On Fri, Sep 28, 2018 at 04:56:10AM -0400, Alex Zhang wrote:

> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are
> configured.
> According to the document
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the
> function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead,
> SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use
> SSL_CTX_set_cipher_list
> to configure the SSL/TLS ciphers, which leads to the default cipher suits
> are used all the time.
>
> Is there any support plan for this?

Yes, as long as the long-term approach to configure ciphers for
different TLS versions will be clear.  Right now the only thing
which is clear is that the SSL_CTX_set_ciphersuits() interface is
a band-aid which leads to various surprising and inconsistent
results.  See https://trac.nginx.org/nginx/ticket/1529 for
details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 ciphersuites configuration way Support

Zhang Chao
Hello Maxim!

Thanks for the replay.
I will patch our service to support this temporary way.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx