On Sun, Apr 29, 2018 at 10:05:39PM -0400, Dennis Clarke wrote: > On 29/04/18 06:43 AM, Kurt Roeckx wrote: > > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > > 1.3 brings a lot of changes that might cause incompatibility. For > > an overview see https://wiki.openssl.org/index.php/TLS1.3 > > Looking at https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites > there are five pure TLSv1.3 ciphersuites listed. At the moment the > OpenSSL 1.1.1-pre5 utters : > > n0$ LD_LIBRARY_PATH=`pwd` apps/openssl ciphers -v | grep " TLSv1\.3 " > TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any > Enc=CHACHA20/POLY1305(256) Mac=AEAD > TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD > n0$ Yes, by default only 3 are anbled, but there are also 2 other supported included in ALL. > So using a client connect test to apache means build up a separate > instance ( and toolchain perhaps ) running with pre4 beta only and a > self cert and then ... isolate to only TLS_AES_256_GCM_SHA384 ( for > example ) in the apache ssl config. This will take some days just for > an initial test framework and then try : Note that Apache requires a patch that was commited 4 weeks ago to support TLS 1.3. It just seems to make TLS 1.3 known to the configuration files and things like that, I'm not sure why that was needed in the first place. Kurt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
