Hi all, With the release of OpenSSL 1.1.1, TLS 1.3 is now also available. It already is working fine in my testing with HAProxy 1.8, there is however one issue. Currently there is no way to control the ciphers for TLS 1.3 from HAProxy, as according to the OpenSSL documentation, ciphers are handled by a separate method for TLS 1.3 compared to TLS 1.2 and earlier:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below) for ctx using the control string str. SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. Before I jump into writing code for this, I’m wondering what the approach is that HAProxy wants to take here. Should a similar options as todays `ciphers` option be made available in HAProxy to control the TLS 1.3 ciphers? If so, what should that be named? Or is another approach preferred here? For example by still using the `ciphers` configuration setting, but by then filtering out ciphers that start with `TLS13` and set those separate with `SSL_CTX_set_ciphersuites`? Cheers, Dirkjan Bussink
