It's 10 years since the last SSL TLS protocol update, and TLSv1.3 is nearing final approval.
ICS V8.52 adds support for OpenSSL 1.1.1-pre1 (alpha) released 13 Feb 2018, which adds the new protocol TLSv1.3 draft 23, and various new cryptographic private key and hash digest types. We don't normally publish pre-release versions of OpenSSL, but this is the first new version of TLS for 10 years and people may want to test it. OpenSSL plans new pre-releases every two or so weeks with a final release of 1.1.1 no earlier than 8th May 2018 provided that TLSv1.3 is formally agreed by then. Draft 24 was published on 1th February and I'd expect it to be in the next OpenSSL due end of February. Beware that no currently released browsers will yet view TLSv1.3 draft 23 pages, most seem to be stuck on draft 18. Also OpenSSL 1.1.1-pre1 (alpha) is clearly test software and is not recommended for production environments. The zip for the Win32 version of OpenSSL 1.1.1-pre1 (alpha) can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download You also require a version of ICS dated after the OpenSSL release (each needs to be tested for compatibility), usually the nightly zip which is currently V8.52. I have built my ICS web application server with ICS V8.52 and one spare server is now using OpenSSL 1.1.1-pre1 (alpha) so can be used for testing TLSv1.3, the information page shows the protocol you connect with, the ciphers available and the OpenSSL version being used. Currently, browsers will connect with TLSv1.2, but the ICS OverbyteIcsHttpsTst sample connects with TLSv1.3. https://www2.telecom-tariffs.co.uk/serverinfo.htm To enable TLSv1.3 support in client applications, you just need SslContext SslMaxVersion set to sslVerTLS1_3 or sslVerMax, and no restrictions on the cipher list. For servers, in addition to SslMaxVersion, you must add new TLSv1.3 ciphers by adding constant sslCipherTLS13 before the current cipher list such as sslCiphersMozillaSrvHigh, as shown in OverbyteIcsWSocketS.pas and OverbyteIcsSslWebServ1.pas. Any servers using the new IcsHostCollection will automatically support TLSv1.3. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
