On Wed, Mar 28, 2018 at 10:49 AM, Stefan Eissing < [email protected]> wrote:
> Just added TLSv1.3 support in trunk. No fancy new early data features, > just the basic. > > Open for discussion: > - The Mozilla server-side-tls people are still thinking of what they will > recommend, see: > https://github.com/mozilla/server-side-tls/issues/191# > issuecomment-376918933 > - Turns out, cipher suites are separate from <= TLSv1.2. Since servers > will co-host 1.2 and 1.3 > for some time, we need additional config directives, I think. Added > "SSLCipherSuiteV1_3" and > am ashamed of the name. > Why not something simple like: TLSVersion 1.3 and have that impute a specific set of ciphers? Get's away from the old "SSL" name, and moves us to a directive that can accept version into the future (instead of a new directive every time). And if you want to *refine* the behavior, then do it with new TLS* directives. I've always had a problem with setting up TLS servers because of the huge number of directives. It would be nice to just introduce a new, simple directive that produces "all" the default handling for the majority of users. > - The current handling of TLS versions that are not supported by the *SSL > lib linked is not > super helpful. It more or less pretends that the version does not exist > (unknown protocol), > but that is far from the truth. Shall we continue that or is this an > opportunity to reconsider? > Euh, if the underlying libraries cannot support a new TLS version, *and* httpd hasn't been coded to support that version, then yes: it should fail. Both parts are needed. Did I misunderstand your query? > - Should we allow the configuration of TLSv1_3 ciphers, even if the > linked SSL does not support > it? This is different from SSLProtocol which of course needs to fail if > it cannot enable the > version that is explicitly configured. > I think it is ok to take it into the config, even though it never > activates. > Oh no no. If I want to configure "SuperAwesomeGJSCipher", and that isn't available like I *expect* it to be ... then yeah. "Cipher not available. You won't get the security you're seeking." #FAIL Cheers, -g
