TLS 1.3 and Cipher-suite #1947
Comments
|
The cipher list is currently hardcoded. My first instinct was to extract the cipher list from the ssl_ctx but the way to specify ciphers has changed in openssl 1.1.1, so we need to call I'm not sure what the best way to tackle that would be, a separate configuration option |
|
Also, if the underlying openssl is older than openssl-1.1.1 (say openssl-1.1.0), the ssl_ctx will not contain the TLS1.3 ciphers. A separate list like @deweerdt suggested could make the usage simpler. |
|
A separate configuration option has my vote. I believe it would be easier and clearer. Mixing ciphers for TLSv1.3 with those of the previous TLS versions, in the same option, would make it harder to read, and certainly harder to parse (I guess). |
|
I've pushed a proposal to #1963 , please let me know what you think. |
|
I do not have the skill to review the code itself, but the idea seems good to me. Is there a naming convention for options in H2O ? I do not mind, but can it cause confusion to have a "dot" inside an option name? "cipher-suite-tls1.3" or "cipher-suite-tls13" ? As I said, I do not mind, this was just a thought which came to my mind. Thanks! |
Hi, and Happy New Year by the same occasion,
I was wondering if this is possible to select the preferred order of the ciphers, when using TLS v1.3.
I am using:
However, no matter what I put in the "cipher-suite", this is always the default OpenSSL suite, which is used : "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256" and "TLS_AES_128_GCM_SHA256" and in this exact order.
So I was wondering if this is the expected behavior?
Thank you,
Best regards,
The text was updated successfully, but these errors were encountered: