TLS1.3 ciphersuites configuration way Support

Maxim Dounin mdounin at
Fri Sep 28 22:57:50 UTC 2018


On Fri, Sep 28, 2018 at 04:56:10AM -0400, Alex Zhang wrote:

> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are
> configured.
> According to the document
>, the
> function SSL_CTX_set_cipher_list isn’t suitable for TLSv1.3, instead,
> SSL_CTX_set_ciphersuits should be used. While Nginx’s now still use
> SSL_CTX_set_cipher_list
> to configure the SSL/TLS ciphers, which leads to the default cipher suits
> are used all the time.
> Is there any support plan for this?

Yes, as long as the long-term approach to configure ciphers for 
different TLS versions will be clear.  Right now the only thing 
which is clear is that the SSL_CTX_set_ciphersuits() interface is 
a band-aid which leads to various surprising and inconsistent 
results.  See for 

Maxim Dounin

More information about the nginx mailing list