The way I read it you just have to be sure to specify a valid tls 1.3 cipher. I have not attempted the configuration though to confirm.
Sent from Nine<http://www.9folders.com/> ________________________________ From: Pavlos Parissis <pavlos.paris...@gmail.com> Sent: Friday, January 12, 2018 4:55 PM To: Emeric Brun; haproxy@formilux.org Subject: Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions . On 12/01/2018 03:57 μμ, Emeric Brun wrote: > Hi All, > > FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a > forced cipher list because > handshake will fail regardless the tls protocol version if you don't specify > a cipher valid for TLSv1.3 > in your cipher list. > > https://github.com/openssl/openssl/issues/5057 > > https://github.com/openssl/openssl/issues/5065 > > Openssl's team doesn't seem to consider this as an issue and I'm just bored > to discuss with them. > > R, > Emeric > So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this doesn't sound right and I am pretty sure I am completely wrong here. Cheers, Pavlos ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.