Re: [twsocket] TLSv1.3 published
> As I'm a neophyte on TLS evolution, could you make a small > summary of what v1.3 brings in? Briefly, TLSv1.3 is simplified and faster with fewer options, and more secure (harder to intercept with Wireshark and other tools) than TLSv1.2. From Wikipedia: Major differences from TLS 1.2 include: - Separating key agreement and authentication algorithms from the cipher suites - Removing support for weak and lesser-used named elliptic curves - Removing support for MD5 and SHA-224 cryptographic hash functions - Requiring digital signatures even when a previous configuration is used - Integrating HKDF and the semi-ephemeral DH proposal - Replacing resumption with PSK and tickets - Supporting 1-RTT handshakes and initial support for 0-RTT - Mandating perfect forward secrecy, by means of using ephemeral keys during the (EC)DH key agreement - Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, non-PFS key exchange (among which static RSA and static DH key exchanges), custom DHE groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers - Prohibiting SSL or RC4 negotiation for backwards compatibility - Integrating use of session hash - Deprecating use of the record layer version number and freezing the number for improved backwards compatibility - Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix - Addition of the ChaCha20 stream cipher with the Poly1305 message authentication code - Addition of the Ed25519 and Ed448 digital signature algorithms - Addition of the x25519 and x448 key exchange protocols >From an ICS perspective, most of this is transparent, unless you specify specific ciphers when you need to add new TLSv1.3 versions (max six) which ICS servers with IcsHosts do automatically. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TLSv1.3 published
Thanks for your continued support of ICS. As I'm a neophyte on TLS evolution, could you make a small summary of what v1.3 brings in? Thanks a lot Olivier On 21/08/2018 19:29, Angus Robertson - Magenta Systems Ltd wrote: Hopefully the last OpenSSL beta release of 1.1.1 today, with the final release in September. OpenSSL 1.1.1-pre9 (beta) is available for download as Win32 or Win64, needs the overnight/SVN ICS V8.57 version to load. http://wiki.overbyte.eu/wiki/index.php/ICS_Download This beta supports TLSv1.3 final RFC8446, although neither the latest Firefox or Chrome betas I have support it, yet. I believe ICS now fully supports TLSv1.3, I have web, mail and FTP clients and servers sending data to each other using TLSv1.3 and the browser demo sample can open a few sites using TLSv1.3 final RFC8446. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TLSv1.3 published
Hopefully the last OpenSSL beta release of 1.1.1 today, with the final release in September. OpenSSL 1.1.1-pre9 (beta) is available for download as Win32 or Win64, needs the overnight/SVN ICS V8.57 version to load. http://wiki.overbyte.eu/wiki/index.php/ICS_Download This beta supports TLSv1.3 final RFC8446, although neither the latest Firefox or Chrome betas I have support it, yet. I believe ICS now fully supports TLSv1.3, I have web, mail and FTP clients and servers sending data to each other using TLSv1.3 and the browser demo sample can open a few sites using TLSv1.3 final RFC8446. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] TLSv1.3 published
Transport Layer Security (TLS) Protocol Version 1.3 has finally been published as RFC8446. https://tools.ietf.org/rfc/rfc8446.txt OpenSSL will be doing a final beta of 1.1.1 shortly followed by the final release later this month. New versions of ICS will be needed for both of these. A new planned release of older versions of OpenSSL is also due next week, but may be delayed so they all come out together. Expect to see lots of new application releases with support for TLSv1.3. While many already support earlier drafts of TLSv1.3, they were all draft specific and will need a final version to support RFC8446. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be