(For those who are not Jouni, there is some spec work needed for TLS 1.3/EAP integration as well, occurring in the IETF EMU working group. I assume Jouni is on the mailing list and knows this already) -Ben On Mon, May 28, 2018 at 03:28:13PM +0300, Jouni Malinen wrote: > On Sun, Apr 29, 2018 at 12:43:26PM +0200, Kurt Roeckx wrote: > > We are considering if we should enable TLS 1.3 by default or not, > > or when it should be enabled. For that, we would like to know how > > applications behave with the latest beta release. > > It looks like couple of TLS 1.3 changes result in breaking functionality > for various EAP methods that are based on TLS unless significant changes > in both the EAP method definition and implementations are done before > enabling the new TLS version. This seems to have an impact to at least > EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST. > > As far as wpa_supplicant (EAP peer) and hostapd (EAP server) > implementations are concerned, I've prepared changes to make EAP-TLS > work with TLS 1.3, but the other EAP methods are still failing for > various known (and to some extend, unknown) issues. Anyway, I'm > currently explicitly disabling TLS 1.3 support with OpenSSL by default > in these application due to these issues and the expected > interoperability issues and as such, the OpenSSL 1.1.1 release default > behavior regarding TLS 1.3 support should not have impact for these > applications. That said, other EAP implementations may want to do > something similar or face possibility of breaking functionality if > OpenSSL 1.1.1 does go out with TLS 1.3 enabled by default and both ends > of the EAP connection have TLS 1.3 enabled. > > -- > Jouni Malinen PGP id EFC895FA > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
