Hi Stefan, Sure I'm here :D Have been the maintainer of the LibreSSL ports in FreeBSD for a good while and more recently joined the apache@ team.
I'll let you know my results. I have an OpenSSL 1.1.1 port in the making so I can test all of this long before it lands in a release. Cheers, Bernard. 2018-03-28 17:49 GMT+02:00 Stefan Eissing <[email protected]>: > Just added TLSv1.3 support in trunk. No fancy new early data features, just > the basic. > > Open for discussion: > - The Mozilla server-side-tls people are still thinking of what they will > recommend, see: > > https://github.com/mozilla/server-side-tls/issues/191#issuecomment-376918933 > - Turns out, cipher suites are separate from <= TLSv1.2. Since servers will > co-host 1.2 and 1.3 > for some time, we need additional config directives, I think. Added > "SSLCipherSuiteV1_3" and > am ashamed of the name. > - The current handling of TLS versions that are not supported by the *SSL > lib linked is not > super helpful. It more or less pretends that the version does not exist > (unknown protocol), > but that is far from the truth. Shall we continue that or is this an > opportunity to reconsider? > - Should we allow the configuration of TLSv1_3 ciphers, even if the linked > SSL does not support > it? This is different from SSLProtocol which of course needs to fail if it > cannot enable the > version that is explicitly configured. > I think it is ok to take it into the config, even though it never > activates. > > Cheers, > > Stefan > > PS. If a FreeBSD libressl+apache maintainer is listening here, he may try if > trunk compiles with it. I would not stop him. >
