In message <[email protected]> on Thu, 19 Apr 2018 19:16:04 -0400, Viktor Dukhovni <[email protected]> said:
openssl-users> But not all the friction can be eliminated, and likely not openssl-users> all providers can be persuaded to be more accommodating. openssl-users> Which leaves us with some difficult judgement calls: openssl-users> openssl-users> * Restrict TLS 1.3 support to just applications compiled openssl-users> against 1.1.1? A weak signal, but likely correlates at openssl-users> least somewhat with the application being ready. openssl-users> openssl-users> * Determine whether the application is likely to be compatible openssl-users> at runtime by looking at the provided configuration. Is SNI openssl-users> enabled? Is the certificate chain weird enough to break with openssl-users> TLS 1.3. Has the application turned off critical algorithms? Of those two, the second provides for a smoother transition to using TLSv1.3, all it might take is changing a configuration, getting a newer certificate with a more compatible chain, changing an engine module. Some of those may take some time (even purchasing a new cert, what do I know?), but still. If at all possible, the second choice seems like the better one. The only reason I can see for the first option is if there are things that cannot be detected in run-time that would cause the use of older protocols rather than TLSv1.3. I suspect a too early call of SSL_version might be one that's hard to cope with... openssl-users> * Do nothing, let the applications adapt or stick with older openssl-users> libraries? I don't see this as acceptable. Let's remember that 1.1.0 -> 1.1.1 is a *minor* upgrade, i.e. should be a drop-in backward compatible replacement. If that upgrade causes applications to suddenly stop working because we're force feeding them TLSv1.3, then we've failed that technical promise. If I was a user in that scenario, I'd be furious. openssl-users> * Something else? Making this a *major* upgrade, i.e. 1.2.0. openssl-users> We don't have much time before release, what do we do? If we can't resolve this, there is the option of delaying the release. The release strategy is clear on this: "This may be amended at any time as the need arises." (https://www.openssl.org/policies/releasestrat.html) Cheers, Richard -- Richard Levitte [email protected] OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
