On Thu, Jan 17, 2019 at 5:40 PM Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote: > On 1/14/2019 4:09 AM, Matt Caswell wrote: > > This works more "by accident". There is no ciphersuite alias called "TLSv1.3", so using it as above results in no ciphersuites matched. Since the TLSv1.3 ciphersuites are on by default anyway that's all that you get back. > > > From what you say, and based on experimentation, it seems like the TLSv1.3 ciphersuites are enabled even if you explicitly say to disable them. 3 of 5 TLS1.3 cipher suites are enabled by default I'm having to reverse engineer the intention, but I think that it was thought that the cipher list API with its mini language was too complex, so there is a new API for setting TLS1.3 cipher suites, _set_ciphersuites(), and for openssl cipher, you can pass args to it using the -ciphersuites option. You can also pass an empty string "" to clear them. Another reason for the second API and the odd interactions between them may be that there are existing apps calling the set_cipher_list() APIs.. if their arg applied to TLS1.3 ciphers, it would always clear them, so existing apps wouldn't use TLS1.3 even though they were theoretically capable. Anyhow, you are seeing that seperation of two APIs, each configuring suites for different protocol familes (pre/post TLS1.3). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
