> Le 21 janv. 2019 à 19:31, Adam Langley <a...@imperialviolet.org> a écrit : > > On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink <d.buss...@gmail.com> wrote: >> Ah ok, I recently added support in HAProxy to handle the new >> SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3 >> ciphers separate from the regular ones. Are those things that BoringSSL >> would also want to adopt then? > > SSL_CTX_set_ciphersuites is more than a compatibility hack like adding > a dummy #define, and the considerations are more complex. I'm not sure > that we want to allow TLS 1.3 ciphersuite to be configured: the > excessive number of cipher suites prior to TLS 1.3 was a problem, as > was the excessive diversity of configurations. Also, string-based APIs > have historically been expensive because they prevent easy static > analysis. So we could add a dummy SSL_CTX_set_ciphersuites that always > returns zero, but most applications would probably take that to be a > fatal error so that wouldn't be helpful. So SSL_CTX_set_ciphersuites > might be a case where a #ifdef is the best answer. But we'll always > think about such things if asked. >
I agree, no need for SSL_CTX_set_ciphersuites. If a security issue appear on cipher i suppose BoringSSL will evolve with a default fix. > (If you happen to know, I would be curious who is using BoringSSL with > HAProxy.) > We used BoringSSL in production since 1.5 year. ++ Manu