Hi Dirkjan,
On Thu, 13 Sep 2018 at 15:35, Dirkjan Bussink <d.buss...@gmail.com> wrote: > > Hi all, > > With the release of OpenSSL 1.1.1, TLS 1.3 is now also available. It already > is working fine in my testing with HAProxy 1.8, there is however one issue. > Currently there is no way to control the ciphers for TLS 1.3 from HAProxy, as > according to the OpenSSL documentation, ciphers are handled by a separate > method for TLS 1.3 compared to TLS 1.2 and earlier: > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html > > SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and > below) for ctx using the control string str. > > SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 > ciphersuites for ctx. > > > Before I jump into writing code for this, I’m wondering what the approach is > that HAProxy wants to take here. Should a similar options as todays `ciphers` > option be made available in HAProxy to control the TLS 1.3 ciphers? If so, > what should that be named? > > Or is another approach preferred here? For example by still using the > `ciphers` configuration setting, but by then filtering out ciphers that start > with `TLS13` and set those separate with `SSL_CTX_set_ciphersuites`? Definitely not some by string matching, openssl could have done exactly that, they choose to make a new API call instead, and they expect applications to introduce new configuration knobs or use the generic configuration interface SSL_CONF, so no, let's not get crazy with string magic here and expose the API as-is to the users (SSL_CTX_set_ciphersuites() or the generic SSL_CONF(). I assume we don't have to change anything regarding groups/curves, although they implemented the new SSL_CTX_set1_groups() call, but if I understand correctly SSL_CTX_set1_curves_list() works just as well with TLSv1.3, right? Thanks, Lukas
