https://bugs.exim.org/show_bug.cgi?id=2872
--- Comment #6 from help@novo.media --- One has to think of TLS 1.3 as a completely new protocol. Apart from its name, it has nothing in common with TLS 1.2 anymore. Not only are the cipher names completely new, but also the entire handshake structure of TLS 1.3 is faster. At its conception, there were even discussions if it should be named TLS 2.0 instead of TLS 1.3 because the changes were so fundamental. In terms of ciphers, there are only generic names available anymore with a general description of what algorithm and its hashing strength. Gone are the days, where one has to define the type of DH exchange (DH, DHE or ECDHE) or type of certificate (DSA, RSA or ECDSA) within a cipher but instead one 'generic name' per cipher is defined and the library - in this case OpenSSL - handles the rest. There can't be any version downgrade-ability, simply because the information in a 'generic TLS 1.3 ciphersuite name' does not contain the information needed for a specific TLS 1.2 cipher. There is no such thing as "the same cipher" for TLS 1.2 and 1.3 or vice versa. And that is just on the cipher side. The handshake is different too, which makes the prospect a complete interchangeability even "more impossible". TLS 1.3 has 'nothing' to do with TLS 1.2 anymore. They are like siblings but from different parents, so to speak. A simple but great rule to help throughout this confusion is the question: Would this kind of outcome considered to be good/right/expected, if TLS 1.3 is the only version (ever) existing. If the answer is yes, then everything works as expected. Even if TLS 1.2 is around or beside. In case of the TLS 1.3 issue mentioned before: Would a TLS 1.3 connection termination because of a cipher-mismatch considered to be good/right/expected, if TLS 1.3 is the only version (ever) existing? Yes, absolutely. Therefore everything works as expected. TLS 1.2 has absolutely nothing to do with this anymore. I hope this could clear up some misconceptions. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##