On Thu, Jan 17, 2019 at 5:40 PM Jordan Brown
<open...@jordan.maileater.net> wrote:
> On 1/14/2019 4:09 AM, Matt Caswell wrote:
>
> This works more "by accident". There is no ciphersuite alias called 
> "TLSv1.3", so using it as above results in no ciphersuites matched. Since the 
> TLSv1.3 ciphersuites are on by default anyway that's all that you get back.
>
>
> From what you say, and based on experimentation, it seems like the TLSv1.3 
> ciphersuites are enabled even if you explicitly say to disable them.

3 of 5 TLS1.3 cipher suites are enabled by default

I'm having to reverse engineer the intention, but I think that it was
thought that the cipher list API with its mini language was too
complex, so there is a new API for setting TLS1.3 cipher suites,
_set_ciphersuites(), and for openssl cipher, you can pass args to it
using the -ciphersuites option. You can also pass an empty string ""
to clear them.

Another reason for the second API and the odd interactions between
them may be that there are existing apps calling the set_cipher_list()
APIs.. if their arg applied to TLS1.3 ciphers, it would always clear
them, so existing apps wouldn't use TLS1.3 even though they were
theoretically capable.

Anyhow, you are seeing that seperation of two APIs, each configuring
suites for different protocol familes (pre/post TLS1.3).
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to