Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS 1.3 specific cipher list (OpenSSL) #2435

Closed
zzq1015 opened this issue Mar 28, 2018 · 3 comments
Closed

TLS 1.3 specific cipher list (OpenSSL) #2435

zzq1015 opened this issue Mar 28, 2018 · 3 comments
Labels

Comments

@zzq1015
Copy link

zzq1015 commented Mar 28, 2018

https://github.com/openssl/openssl/blob/8eb399fb25a6ef68b2a9e8d34b242b9767c46abe/CHANGES#L20
Because of this change, we can no longer specify TLS 1.3 ciphers using the --ciphers switch.
In the latest build of OpenSSL, we can only use the -ciphersuites to change TLS 1.3 cipher orders, like this:

openssl ciphers -V -ciphersuites "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384" "DEFAULT"

I suggest adding a --tls13-ciphers switch to specify TLS1.3-only ciphers.

@bagder bagder added the TLS label Mar 28, 2018
@bagder
Copy link
Member

bagder commented Mar 28, 2018

Yes, it seems like we need to follow along here. The question is perhaps if we also should go with --ciphersuites instead of explicitly spelling out 1.3 in the name. Who knows, maybe a future TLS 1.4 can also use it?

@zzq1015
Copy link
Author

zzq1015 commented Apr 3, 2018

No. We already have --ciphers switch. The new --ciphersuites will cause confusion for the users.
Spelling TLS 1.3 is kind of necessary and makes sense when TLS 1.4/2.0/whatever comes out. It simply means the cipher suites are for TLS 1.3 and above.

@bagder
Copy link
Member

bagder commented Apr 16, 2018

You up to writing a PR for this?

bagder added a commit that referenced this issue May 24, 2018
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
bagder added a commit that referenced this issue May 29, 2018
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
@bagder bagder closed this as completed in 050c93c May 29, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Aug 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

2 participants