> On Apr 19, 2018, at 1:31 PM, David Benjamin <[email protected]> wrote:
>
> Consider a caller using a PKCS#1-only ENGINE-backed private key. PKCS#1 does
> not work in TLS 1.3, only PSS.
That's a local matter, and easy to resolve locally.
> Consider a caller which calls SSL_renegotiate.
Ditto. And sufficiently uncommon to not worry about.
> A client which expects the session to be available immediately after the
> handshake will also break.
Sessions are not always offered by the server, clients already have to deal
with this.
> Or someone who listens to the message callback.
Not worth worrying about.
> Or someone who only installed CBC-mode ciphers in initialization.
Not a problem, OpenSSL 1.1.1 has separate cipher controls for TLS 1.3
> Or just someone who calls SSL_version and checks that it is TLS1_2_VERSION.
They can set the max version. ...
The above are local edge cases. The SNI interoperability trap is random damage
imposed by apparently capricious remote servers. I plead you reconsider this
*particular* additional hoop for TLS 1.3 clients to jump through, just do
whatever you did with TLS 1.2. If TLS 1.2 failed with SNI, fine do the same
with TLS 1.3, if not then return the same chain.
--
Viktor.
_______________________________________________
openssl-project mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-project
