TLS1.3 ciphersuites configuration way Support
Maxim Dounin
mdounin at mdounin.ru
Fri Sep 28 22:57:50 UTC 2018
Hello!
On Fri, Sep 28, 2018 at 04:56:10AM -0400, Alex Zhang wrote:
> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are
> configured.
> According to the document
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the
> function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead,
> SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use
> SSL_CTX_set_cipher_list
> to configure the SSL/TLS ciphers, which leads to the default cipher suits
> are used all the time.
>
> Is there any support plan for this?
Yes, as long as the long-term approach to configure ciphers for
different TLS versions will be clear. Right now the only thing
which is clear is that the SSL_CTX_set_ciphersuits() interface is
a band-aid which leads to various surprising and inconsistent
results. See https://trac.nginx.org/nginx/ticket/1529 for
details.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list