Openssl 1.1 / TLS 1.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl 1.1 / TLS 1.3

Richard Moore
If I run the following:

 openssl-1.1.1pre1 ciphers -tls1_3 -v

Then I get lots of ciphers, for example AES128-SHA however the latest draft TLS 1.3 RFC states:

The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms.

This suggests that the ciphers command isn't working as intended. Should I file an issue in github?

Cheers

Rich.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.1 / TLS 1.3

Matt Caswell-2


On 14/02/18 16:27, Richard Moore wrote:
> If I run the following:
>
>  openssl-1.1.1pre1 ciphers -tls1_3 -v

The man page says this about the "-tls1_3" option:

"In combination with the B<-s> option, list the ciphers which would be
used if TLSv1.3 were negotiated."

So you need to add "-s". If you do that then you only get the TLSv1.3
ciphers. It's a little strange that the option is ignored if no -s is
supplied (you might think supplying -tls1_3 would automatically imply
-s). But that is the way that all the -tls* options work, so this is
nothing new in 1.1.1.

Matt



>
> Then I get lots of ciphers, for example AES128-SHA however the latest
> draft TLS 1.3 RFC states:
>
> The list of supported symmetric algorithms has been pruned of all
> algorithms that are considered legacy. Those that remain all use
> Authenticated Encryption with Associated Data (AEAD) algorithms.
>
> This suggests that the ciphers command isn't working as intended. Should
> I file an issue in github?
>
> Cheers
>
> Rich.
>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.1 / TLS 1.3

Richard Moore


On 14 February 2018 at 16:34, Matt Caswell <[hidden email]> wrote:


On 14/02/18 16:27, Richard Moore wrote:
> If I run the following:
>
>  openssl-1.1.1pre1 ciphers -tls1_3 -v

The man page says this about the "-tls1_3" option:

"In combination with the B<-s> option, list the ciphers which would be
used if TLSv1.3 were negotiated."

So you need to add "-s". If you do that then you only get the TLSv1.3
ciphers. It's a little strange that the option is ignored if no -s is
supplied (you might think supplying -tls1_3 would automatically imply
-s). But that is the way that all the -tls* options work, so this is
nothing new in 1.1.1.

​I see thanks. That's very confusing, but yeah it seems to be there since 1.1.0. How would you feel about that being the default? I'm a little bit unclear about what the point of the option is otherwise?

Thanks

Rich.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.1 / TLS 1.3

Matt Caswell-2


On 14/02/18 17:28, Richard Moore wrote:

>
>
> On 14 February 2018 at 16:34, Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 14/02/18 16:27, Richard Moore wrote:
>     > If I run the following:
>     >
>     >  openssl-1.1.1pre1 ciphers -tls1_3 -v
>
>     The man page says this about the "-tls1_3" option:
>
>     "In combination with the B<-s> option, list the ciphers which would be
>     used if TLSv1.3 were negotiated."
>
>     So you need to add "-s". If you do that then you only get the TLSv1.3
>     ciphers. It's a little strange that the option is ignored if no -s is
>     supplied (you might think supplying -tls1_3 would automatically imply
>     -s). But that is the way that all the -tls* options work, so this is
>     nothing new in 1.1.1.
>
>
> ​I see thanks. That's very confusing, but yeah it seems to be there
> since 1.1.0. How would you feel about that being the default? I'm a
> little bit unclear about what the point of the option is otherwise?

We're always a bit wary about changing the behaviour of command line app
options. It has a tendency to "bite" us in unexpected ways (where people
are relying on the behaviour being one way, and suddenly it changes). In
particular 1.1.1 is supposed to be completely compatible with 1.1.0.

Having said that its difficult to see what would break if we made it
that specifying one of those options implicitly sets "-s" too. Or
alternatively we could perhaps print a warning if you specify one of
these options without -s.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users