Hello! On Fri, Sep 28, 2018 at 04:56:10AM -0400, Alex Zhang wrote:
> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are > configured. > According to the document > https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the > function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead, > SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use > SSL_CTX_set_cipher_list > to configure the SSL/TLS ciphers, which leads to the default cipher suits > are used all the time. > > Is there any support plan for this? Yes, as long as the long-term approach to configure ciphers for different TLS versions will be clear. Right now the only thing which is clear is that the SSL_CTX_set_ciphersuits() interface is a band-aid which leads to various surprising and inconsistent results. See https://trac.nginx.org/nginx/ticket/1529 for details. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx