Hi, On 7/20/19 7:28 AM, Viktor Dukhovni wrote: > On Fri, Jul 19, 2019 at 10:38:19AM -0700, PGNet Dev wrote: > >> I suspect I've misunderstood usage of TLSv1.3 @ >> >> https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/ >> >> Checking cipherlist for just TLSv1.3 ciphers FAILs here, >> >> openssl ciphers -stdname -s -V 'TTLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384' >> Error in cipher list > > This is expected. Try: > > openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL' > That works here, openssl ciphers -tls1_3 -stdname -s -V -ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' 'aNULL' 0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD Can you clarify WHY that's expected? Atm, it's inclear why it's working for Michael Wojcik ... different version? something's changed? And, in webserver ssl_cipher configs, specifying ONLY the tls13 ciphersuites fires a config error. Until I add a group, e.g. ECDHE, as well, to the spec. If this^^ is 'expected', is that, then, actually an error?
