On 27/05/2019 10:26, Raja Ashok wrote: > Hi All, > > I feel like some TLS 1.3 configuration APIs in OpenSSL 1.1.1 are uncomfortable > in using it. > > *1) Configuring Cipher Suit:* There is a new API for configuring TLS1.3 cipher > suite, which is /SSL_set_ciphersuites()/. But calling > only /SSL_set_ciphersuites()/ does not work. Need to call old > API /SSL_set_cipher_list()/ first and then /SSL_set_ciphersuites()/. Hmmm...this shouldn't be the case. Order shouldn't be important. If you are experiencing that it sounds like a possible bug. > > *2) Configuring supported groups and temp ECDHE:* Configuring temp ECDHE using > /SSL_set_tmp_ECDH()/ configures the corresponding curve ID as supported groups. > So calling first /SSL_set1_groups()/ and then calling/SSL_set_tmp_ECDH()/ resets > the configured groups using /SSL_set1_groups()/. SSL_set_tmp_ECDH() is the old way of doing things (we should probably deprecate this). You shouldn't need to call this at all. Just use SSL_set1_groups. Matt
