> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Viktor Dukhovni > Sent: Saturday, July 20, 2019 09:18 > > > Atm, it's inclear why it's working for Michael Wojcik ... different > version? > > something's changed? > > I am discounting his report of success. The full set of TLS 1.3 > ciphers is enabled by default. If he did not use the -ciphersuites > option, he was overriding just the 1.2 code points, and somehow > managed to ultimately list just the TLS 1.3 code points. He > also had a typo in the command he posted. It is not pertinent. Shrug. I copied and pasted the command from PGNet Dev's email, and copied and pasted the result into my email. (I thought "TTLS" was a typo, but when the command worked as presented in the original email, didn't investigate further.) What I posted is nothing more or less than what the openssl executable currently on my system returns for that command. Clearly that build of 1.1.1 does not work the way you expect. That said, I'm no longer interested in *why* it doesn't. That's not the OpenSSL build we're shipping in any current product, and the configuration mechanism for the products I'm responsible for works as expected; that is, our tests confirm that the product is enabling both the configured TLSv1.3 suites and the configured pre-1.3 suites, on both client and server sides. I will, of course, save copies of Viktor's notes, since they contain important information about the operation of the ciphers command. -- Michael Wojcik Distinguished Engineer, Micro Focus