> As I'm a neophyte on TLS evolution, could you make a small > summary of what v1.3 brings in?
Briefly, TLSv1.3 is simplified and faster with fewer options, and more secure (harder to intercept with Wireshark and other tools) than TLSv1.2. From Wikipedia: Major differences from TLS 1.2 include: - Separating key agreement and authentication algorithms from the cipher suites - Removing support for weak and lesser-used named elliptic curves - Removing support for MD5 and SHA-224 cryptographic hash functions - Requiring digital signatures even when a previous configuration is used - Integrating HKDF and the semi-ephemeral DH proposal - Replacing resumption with PSK and tickets - Supporting 1-RTT handshakes and initial support for 0-RTT - Mandating perfect forward secrecy, by means of using ephemeral keys during the (EC)DH key agreement - Dropping support for many insecure or obsolete features including compression, renegotiation, non-AEAD ciphers, non-PFS key exchange (among which static RSA and static DH key exchanges), custom DHE groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers - Prohibiting SSL or RC4 negotiation for backwards compatibility - Integrating use of session hash - Deprecating use of the record layer version number and freezing the number for improved backwards compatibility - Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix - Addition of the ChaCha20 stream cipher with the Poly1305 message authentication code - Addition of the Ed25519 and Ed448 digital signature algorithms - Addition of the x25519 and x448 key exchange protocols >From an ICS perspective, most of this is transparent, unless you specify specific ciphers when you need to add new TLSv1.3 versions (max six) which ICS servers with IcsHosts do automatically. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
