[Gt-eos] TLS 1.3

Mischa Salle msalle at nikhef.nl
Fri May 25 12:56:50 CEST 2018 

Hi Frank, others,

On Thu, May 24, 2018 at 07:02:06PM +0200, Frank Scheiner wrote:
> Hi Mischa, Mattias, others,
> 
> On 05/24/2018 02:56 PM, Mischa Salle wrote:
> > Most is summarized in a wiki https://wiki.openssl.org/index.php/TLS1.3
> > They also say there that 1.1.1 is not being released before TLS1.3 is
> > actually released (currently still in draft:
> > https://tools.ietf.org/html/draft-ietf-tls-tls13-28)
> 
> That's an important information, so currently not even the TLSv1.3 draft is
> finished, hence the current implementation in OpenSSL 1.1.1 "pre-releases"
> is also not final.
True. In any case, it's I think in Debian experimental such that we can
figure out all these issues (-;

> For now could it not also be possible to link to OpenSSL 1.1.1 and still
> limit usage of TLS to TLSv1.2?
I guess (although I couldn't yet figure out with a quick look how) that
it is possible to compile code against OpenSSL such that it will default
to TLSv1.2 (or something else) and never try TLSv1.3. On the other hand,
it would be nice if we could make the globus-gsi code TLSv1.3 compliant.

> Because the wiki article says below "Ciphersuites":
> ``
> [...]
> OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:
> 
>     TLS_AES_256_GCM_SHA384
>     TLS_CHACHA20_POLY1305_SHA256
>     TLS_AES_128_GCM_SHA256
> [...]
> By default the first three of the above ciphersuites are enabled by default.
> This means that if you have no explicit ciphersuite configuration then you
> will automatically use those three and will be able to negotiate TLSv1.3.
> [...]
> ```
> ...so it looks to me like it defaults to TLSv1.3, but maybe this can be
> changed by a switch or an option.
I guess also that this can be changed at compile (or run) time...

    Cheers,
    Mischa

> And if I understand the following note from [1] correctly:
> ```
> Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the
> early days of specification and there is no OpenSSL support for it at this
> time.
> ```
> ...there is also currently no TLSv1.3 equivalent for UDT (i.e. no DTLSv1.3).
> 
> [1]:
> https://wiki.openssl.org/index.php/TLS1.3#Differences_with_TLS1.2_and_below
> 
> Cheers,
> Frank
> 
> -- 
> Frank Scheiner
> 
> High Performance Computing Center Stuttgart (HLRS)
> Department Project User Management & Accounting
> 
> Email: scheiner at hlrs.de
> Phone: +49 711 685 68039
> 



> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180525/0a3e2db0/attachment.p7s>

More information about the discuss mailing list