On 13/01/2018 01:22 μμ, Moemen MHEDHBI wrote: > HI Pavlos, > > > On 12/01/2018 22:53, Pavlos Parissis wrote: >> On 12/01/2018 03:57 μμ, Emeric Brun wrote: >>> Hi All, >>> >>> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using >>> a forced cipher list because >>> handshake will fail regardless the tls protocol version if you don't >>> specify a cipher valid for TLSv1.3 >>> in your cipher list. >>> >>> https://github.com/openssl/openssl/issues/5057 >>> >>> https://github.com/openssl/openssl/issues/5065 >>> >>> Openssl's team doesn't seem to consider this as an issue and I'm just bored >>> to discuss with them. >>> >>> R, >>> Emeric >>> >> >> So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then >> client must support >> TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I >> hope I'm not, then we >> have to wait for all clients to support TLSv1.3 before we enabled it on the >> server side, this >> doesn't sound right and I am pretty sure I am completely wrong here. >> >> Cheers, >> Pavlos >> >> > > Not exactly, the moment you force a cipher list that does not include a > TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS > handshake will break regardless of what is in the Client hello. >
But, can we have TLSv3 enabled on server side and still accept TLSv2 sessions? Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature
