Hello openssl-users,
We came across a change in OpenSSL 1.1.1j that has introduced a regression.
https://github.com/openssl/openssl/pull/13304 and https://github.com/openssl/openssl/pull/13305 introduced the behaviour change: when servername callback is set, we suppose that we are TLS1.3-capable (see https://github.com/openssl/openssl/issues/13291 as rationale)
When server has a secret key that is incompatible with TLS 1.3 (in our test setup it was DSA, but we expect the same behavior with, e.g, Brainpool curves) set in httpd, when connecting to it via s_client, we get an alert in response to a ClientHello.
We came across a change in OpenSSL 1.1.1j that has introduced a regression.
https://github.com/openssl/openssl/pull/13304 and https://github.com/openssl/openssl/pull/13305 introduced the behaviour change: when servername callback is set, we suppose that we are TLS1.3-capable (see https://github.com/openssl/openssl/issues/13291 as rationale)
When server has a secret key that is incompatible with TLS 1.3 (in our test setup it was DSA, but we expect the same behavior with, e.g, Brainpool curves) set in httpd, when connecting to it via s_client, we get an alert in response to a ClientHello.
It can be invisible for end-users because of downgrade dance, but I wonder if we have any real-life cases.
The relevant GH issue is https://github.com/openssl/openssl/issues/16075
Many thanks!
-- SY, Dmitry Belyavsky
