Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. [[email protected]: Re: [openssl-users] openssl 1.0.2 and TLS
1.3] (The Doctor)
2. Re: [[email protected]: Re: [openssl-users] openssl 1.0.2 and
TLS 1.3] (Julien ?LIE)
----------------------------------------------------------------------
Message: 1
Date: Tue, 11 Sep 2018 08:08:17 -0600
From: The Doctor <[email protected]>
To: [email protected]
Subject: [[email protected]: Re: [openssl-users] openssl 1.0.2 and TLS
1.3]
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
----- Forwarded message from Matt Caswell <[email protected]> -----
Date: Tue, 11 Sep 2018 15:01:38 +0100
From: Matt Caswell <[email protected]>
To: [email protected]
Subject: Re: [openssl-users] openssl 1.0.2 and TLS 1.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.9.1
On 11/09/18 14:58, The Doctor wrote:
> On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
>>
>>
>> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
>>>> Von: openssl-users <[email protected]> Im Auftrag von The
>>>> Doctor
>>>> Gesendet: Dienstag, 11. September 2018 08:49
>>>> An: [email protected]; [email protected]
>>>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>>>
>>>> Will that combination occur?
>>>
>>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be
>>> released today.
>>> OpenSSL 1.0.2 is an LTS release which will only receive security updates
>>> and no new
>>> features.
>>
>> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
>> the end of this year. From the end of this year until the end of 2019 it
>> will receive security fixes only. In any case it will receive no new
>> features (including TLSv1.3).
>>
>> >From the release of 1.1.1 (today), 1.1.0 will receive security fixes
>> only for one year.
>>
>> Matt
>>
>>
>
> Got you.
>
> So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> in order to use TLS 1.3 .
Yes. I would encourage *all* applications still on the 1.0.x API to move
to 1.1.1 asap. By the end of next year there will be no supported
OpenSSL version that has the old API.
Matt
>
>>
>>>
>>> HTH,
>>> Matthias
>>>
>>> See also
>>> https://wiki.openssl.org/index.php/TLS1.3
>>> https://www.openssl.org/policies/releasestrat.html
>>>
>>>
>>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
----- End forwarded message -----
FYI we should be ready!
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal! Quebec votez contre le PQ et le QS des 1 October 2018!
------------------------------
Message: 2
Date: Tue, 11 Sep 2018 22:08:40 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: [[email protected]: Re: [openssl-users] openssl 1.0.2 and
TLS 1.3]
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi The Doctor,
Thanks for your message!
>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released
>> today.
>> OpenSSL 1.0.2 is an LTS release which will only receive security updates and
>> no new
>> features.
>
> I would encourage *all* applications still on the 1.0.x API to move
> to 1.1.1 asap. By the end of next year there will be no supported
> OpenSSL version that has the old API.
Please note that INN 2.6.1 supports OpenSSL 1.1.0.
And INN 2.6.2 added the "TLSv1.3" keyword value for the "tlsprotocols"
parameter in inn.conf so that it could be disabled, if need be.
(Otherwise, it is always enabled.)
So basically, the last two INN releases support this new version of TLS.
According to a recent post from Michael B?uerle in news.software.nntp,
TLS 1.3 is confirmed to work fine with a pre-release version of OpenSSL
1.1.1 (only a minor question about cipher server preferences remains).
I've just read the changelog provided with OpenSSL 1.1.1. Two things
are worthwhile mentioning:
*) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use
blocking
I/O in combination with something like select() or poll() will
hang. This
can be turned off again using SSL_CTX_clear_mode().
Many applications do not properly handle non-application data
records, and
TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
around the problems in those applications, but can also break some.
It's recommended to read the manpages about SSL_read(), SSL_write(),
SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
SSL_CTX_set_read_ahead() again.
=> We're normally not in that case, but some other applications may. I
highlight that for the record, in case someone complains about hangs.
*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2
ciphersuite
configuration. TLSv1.3 ciphersuites are not compatible with
TLSv1.2 and
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite
configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
configuration has been separated out.
Added a new API for TLSv1.3 ciphersuites:
SSL_CTX_set_ciphersuites()
SSL_set_ciphersuites()
=> Ah, this breaks the use of the "tlsciphers" parameter in inn.conf!
If TLS 1.3 is in use, the parameter will not be taken into account.
I'm inclined to just re-use the same parameter for TLS 1.3 and not
create a specific parameter in inn.conf. One can put version-specific
ciphers in the list; OpenSSL will ignore the ciphers that do not apply
to the negotiated version.
@Christian Mock, if you have any advice for that, or generally a better
TLS 1.3 implementation in INN, please free to tell.
--
Julien ?LIE
??Rien ni personne n'a tout ? fait tort?: m?me une horloge
arr?t?e a raison deux fois par jour.?? (John Steinbeck)
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 108, Issue 3
*******************************************
