Hello Emeric,
On 12 January 2018 at 15:57, Emeric Brun <eb...@haproxy.com> wrote: > Hi All, > > FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a > forced cipher list because > handshake will fail regardless the tls protocol version if you don't specify > a cipher valid for TLSv1.3 > in your cipher list. > > https://github.com/openssl/openssl/issues/5057 > > https://github.com/openssl/openssl/issues/5065 > > Openssl's team doesn't seem to consider this as an issue and I'm just bored > to discuss with them. FYI OpenSSL did a 180 on this, they are implemented a new API call to set TLSv1.3 ciphers and enable them by default: https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html cheers, lukas
