Hi Lukas, > On 13 Sep 2018, at 16:14, Lukas Tribus <[email protected]> wrote: > > Definitely not some by string matching, openssl could have done > exactly that, they choose to make a new API call instead, and they > expect applications to introduce new configuration knobs or use the > generic configuration interface SSL_CONF, so no, let's not get crazy > with string magic here and expose the API as-is to the users > (SSL_CTX_set_ciphersuites() or the generic SSL_CONF().
So with a new API call, does that mean adding for example a `ciphersuites` option that works similar to `ciphers` today that it accepts a string and then calls `SSL_CTX_set_ciphersuites`? I can see if I can create a patch that does that (and ideally would be possible to backport to 1.8 as well, since I would like to be able to run TLS 1.3 then with 1.8 which works perfectly fine apart from a lack of tuning for this). > I assume we don't have to change anything regarding groups/curves, > although they implemented the new SSL_CTX_set1_groups() call, but if I > understand correctly SSL_CTX_set1_curves_list() works just as well > with TLSv1.3, right? Yes, these work with TLSv1.3 still, but according to https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_curves_list.html there is preference for the groups functions (but not something I think needs to be addressed in the same patch / change?): --- The curve functions are synonyms for the equivalently named group functions and are identical in every respect. They exist because, prior to TLS1.3, there was only the concept of supported curves. In TLS1.3 this was renamed to supported groups, and extended to include Diffie Hellman groups. The group functions should be used in preference. --- Cheers, Dirkjan
