Re: Openssl 1.1 / TLS 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 14/02/18 17:28, Richard Moore wrote:
> 
> 
> On 14 February 2018 at 16:34, Matt Caswell <matt@xxxxxxxxxxx
> <mailto:matt@xxxxxxxxxxx>> wrote:
> 
> 
> 
>     On 14/02/18 16:27, Richard Moore wrote:
>     > If I run the following:
>     >
>     >  openssl-1.1.1pre1 ciphers -tls1_3 -v
> 
>     The man page says this about the "-tls1_3" option:
> 
>     "In combination with the B<-s> option, list the ciphers which would be
>     used if TLSv1.3 were negotiated."
> 
>     So you need to add "-s". If you do that then you only get the TLSv1.3
>     ciphers. It's a little strange that the option is ignored if no -s is
>     supplied (you might think supplying -tls1_3 would automatically imply
>     -s). But that is the way that all the -tls* options work, so this is
>     nothing new in 1.1.1.
> 
> 
> ​I see thanks. That's very confusing, but yeah it seems to be there
> since 1.1.0. How would you feel about that being the default? I'm a
> little bit unclear about what the point of the option is otherwise?

We're always a bit wary about changing the behaviour of command line app
options. It has a tendency to "bite" us in unexpected ways (where people
are relying on the behaviour being one way, and suddenly it changes). In
particular 1.1.1 is supposed to be completely compatible with 1.1.0.

Having said that its difficult to see what would break if we made it
that specifying one of those options implicitly sets "-s" too. Or
alternatively we could perhaps print a warning if you specify one of
these options without -s.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux