Am 29.03.2018 um 11:41 schrieb Yann Ylavic: > On Thu, Mar 29, 2018 at 11:39 AM, Yann Ylavic <[email protected]> wrote: >> On Thu, Mar 29, 2018 at 10:16 AM, Stefan Eissing >> <[email protected]> wrote: >>> >>> Along the gist of your proposal, I think I'll expand "SSLCipherSuite" >>> to take more than 1 argument and look for optional prefixes to the >>> suite strings given, so one could do >>> >>> # as before, applies to all TLS protocols <=TLSv1.2 SSLCipherSuite >>> XXX:YY:-AASSD:DSDS >>> >>> # Set ciphers for TLSv1.3, does not replace the previous line >>> SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 >>> >>> So, the directive becomes: >>> >>> SSLCipherSuite [ ProtocolClass ] Cipher-String >>> >>> where ProtocolClass is: >>> SSL (default) all TLS/SSL Protocols <= TLSv1.2 >>> TLSv1.3 TLS version 1.3 >> >> Looks good to me. >> I wonder if it's not applicable to TLSv1.2 already, there is a number >> of ciphers available to 1.2 only (with openssl < 1.1). > > (e.g. GCMs, CHACHA+POLYs, SHA-2s ...) FWIW: 30 minutes before the start of this thread i got this copy&paste per jabber - so it's an openssl issue at all that ghey just don't parse out the TLS1.3 related ones from SSLCipherSuite and so that is a completly new bahvior breaking the sort of abstraction that i shouldn't know about TLS 1.0/1.1/1.2/1.3 at all in consumer code
______________________ upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3 in your cipher list. https://github.com/openssl/openssl/issues/5057 https://github.com/openssl/openssl/issues/5065 Openssl's team doesn't seem to consider this as an issue FYI OpenSSL did a 180 on this, they are implemented a new API call to set TLSv1.3 ciphers and enable them by default: https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html Split configuration of TLSv1.3 ciphers from older ciphers With the current mechanism, old cipher strings that used to work in 1.1.0, may inadvertently disable all TLSv1.3 ciphersuites causing connections to fail. This is confusing for users. In reality TLSv1.3 are quite different to older ciphers. They are much simpler and there are only a small number of them so, arguably, they don't need the same level of control that the older ciphers have. This change splits the configuration of TLSv1.3 ciphers from older ones. By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable them through your existing config. Fixes #5359
