It's 10 years since the last SSL TLS protocol update, and TLSv1.3 is
nearing final approval.  

ICS V8.52 adds support for OpenSSL 1.1.1-pre1 (alpha) released 13 Feb
2018, which adds the new protocol TLSv1.3 draft 23, and various new
cryptographic private key and hash digest types.  We don't normally
publish pre-release versions of OpenSSL, but this is the first new
version of TLS for 10 years and people may want to test it.  OpenSSL
plans new pre-releases every two or so weeks with a final release of
1.1.1 no earlier than 8th May 2018 provided that TLSv1.3 is formally
agreed by then. Draft 24 was published on 1th February and I'd expect
it to be in the next OpenSSL due end of February.  Beware that no
currently released browsers will yet view TLSv1.3 draft 23 pages, most
seem to be stuck on draft 18. Also OpenSSL 1.1.1-pre1 (alpha) is
clearly test software and is not recommended for production
environments.
The zip for the Win32 version of OpenSSL 1.1.1-pre1 (alpha)
can now be downloadable from the Wiki at:

http://wiki.overbyte.eu/wiki/index.php/ICS_Download

You also require a version of ICS dated after the OpenSSL release (each
needs to be tested for compatibility), usually the nightly zip which is
currently V8.52. 

I have built my ICS web application server with ICS V8.52 and one spare
server is now using OpenSSL 1.1.1-pre1 (alpha) so can be used for
testing TLSv1.3, the information page shows the protocol you connect
with, the ciphers available and the OpenSSL version being used.
Currently, browsers will connect with TLSv1.2, but the ICS
OverbyteIcsHttpsTst sample connects with TLSv1.3.

https://www2.telecom-tariffs.co.uk/serverinfo.htm

To enable TLSv1.3 support in client applications, you just need
SslContext SslMaxVersion set to sslVerTLS1_3 or sslVerMax, and no
restrictions on the cipher list.  For servers, in addition to
SslMaxVersion, you must add new TLSv1.3 ciphers by adding constant
sslCipherTLS13 before the current cipher list such as
sslCiphersMozillaSrvHigh, as shown in OverbyteIcsWSocketS.pas and
OverbyteIcsSslWebServ1.pas.  Any servers using the new
IcsHostCollection will automatically support TLSv1.3. 

Angus



-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to