[Gt-eos] TLS 1.3

Frank Scheiner scheiner at hlrs.de
Thu May 24 19:02:06 CEST 2018 

Hi Mischa, Mattias, others,

On 05/24/2018 02:56 PM, Mischa Salle wrote:
> Most is summarized in a wiki https://wiki.openssl.org/index.php/TLS1.3
> They also say there that 1.1.1 is not being released before TLS1.3 is
> actually released (currently still in draft:
> https://tools.ietf.org/html/draft-ietf-tls-tls13-28)

That's an important information, so currently not even the TLSv1.3 draft 
is finished, hence the current implementation in OpenSSL 1.1.1 
"pre-releases" is also not final.

For now could it not also be possible to link to OpenSSL 1.1.1 and still 
limit usage of TLS to TLSv1.2?

Because the wiki article says below "Ciphersuites":
``
[...]
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:

     TLS_AES_256_GCM_SHA384
     TLS_CHACHA20_POLY1305_SHA256
     TLS_AES_128_GCM_SHA256
[...]
By default the first three of the above ciphersuites are enabled by 
default. This means that if you have no explicit ciphersuite 
configuration then you will automatically use those three and will be 
able to negotiate TLSv1.3.
[...]
```
...so it looks to me like it defaults to TLSv1.3, but maybe this can be 
changed by a switch or an option.

And if I understand the following note from [1] correctly:
```
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in 
the early days of specification and there is no OpenSSL support for it 
at this time.
```
...there is also currently no TLSv1.3 equivalent for UDT (i.e. no DTLSv1.3).

[1]: 
https://wiki.openssl.org/index.php/TLS1.3#Differences_with_TLS1.2_and_below

Cheers,
Frank

-- 
Frank Scheiner

High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting

Email: scheiner at hlrs.de
Phone: +49 711 685 68039

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180524/eab4d131/attachment.p7s>

More information about the discuss mailing list