HI Pavlos,
On 12/01/2018 22:53, Pavlos Parissis wrote: > On 12/01/2018 03:57 μμ, Emeric Brun wrote: >> Hi All, >> >> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a >> forced cipher list because >> handshake will fail regardless the tls protocol version if you don't specify >> a cipher valid for TLSv1.3 >> in your cipher list. >> >> https://github.com/openssl/openssl/issues/5057 >> >> https://github.com/openssl/openssl/issues/5065 >> >> Openssl's team doesn't seem to consider this as an issue and I'm just bored >> to discuss with them. >> >> R, >> Emeric >> > > So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then > client must support > TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I > hope I'm not, then we > have to wait for all clients to support TLSv1.3 before we enabled it on the > server side, this > doesn't sound right and I am pretty sure I am completely wrong here. > > Cheers, > Pavlos > > Not exactly, the moment you force a cipher list that does not include a TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS handshake will break regardless of what is in the Client hello. -- Moemen MHEDHBI
