On 12/01/2018 03:57 μμ, Emeric Brun wrote: > Hi All, > > FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a > forced cipher list because > handshake will fail regardless the tls protocol version if you don't specify > a cipher valid for TLSv1.3 > in your cipher list. > > https://github.com/openssl/openssl/issues/5057 > > https://github.com/openssl/openssl/issues/5065 > > Openssl's team doesn't seem to consider this as an issue and I'm just bored > to discuss with them. > > R, > Emeric >
So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this doesn't sound right and I am pretty sure I am completely wrong here. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature