In message <fe841b85-ec0c-4e5a-9c3c-3703a8b19...@dukhovni.org> on Tue, 17 Apr 2018 14:32:37 -0400, Viktor Dukhovni <openssl-us...@dukhovni.org> said:
openssl-users> openssl-users> openssl-users> > On Apr 17, 2018, at 2:15 PM, Richard Levitte <levi...@openssl.org> wrote: openssl-users> > openssl-users> > Depends on what "the best thing you know to do" is. In my mind, openssl-users> > simply refusing to run as before because the new kid in town didn't openssl-users> > like the environment (for example a cert that's perfectly valid for openssl-users> > TLSv1.2 but invalid for TLSv1.3) it ended up in isn't "the best thing openssl-users> > you know to do". openssl-users> > openssl-users> > But I get you, your idea of "the best thing you know to do" is to run openssl-users> > the newest protocol unconditionally unless the user / application says openssl-users> > otherwise, regardless of if it's at all possible given the environment openssl-users> > (like said cert). openssl-users> openssl-users> If there were a non-negligible use of certificates that work with TLS 1.2, openssl-users> and that (implementation bugs aside) can't work with TLS 1.3, I'd support openssl-users> your position strongly. As it stands, I think you're right in principle, openssl-users> but not yet in practice. If we find no show-stopper issues, we should openssl-users> allow TLS 1.3 to happen. The troublesome thing with "but not yet in practice" is that we won't know before 1.1.1 is finally released and has been deployed in a larger scale. In my mind, that's too late. So my view is much more black and white, like is it at all possible that there will be certificates or other "stuff" out there that will have libssl fail setting up communication because TLSv1.3? If the answer is yes, I find it hard to ignore this. openssl-users> I'm far more concerned about lingering middle-box issues, than about some openssl-users> edge-case certificates... There's that too, yeah. -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project