Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3 specific cipher list (OpenSSL) #2435

Closed
zzq1015 opened this issue Mar 28, 2018 · 3 comments
Closed

TLS 1.3 specific cipher list (OpenSSL) #2435

zzq1015 opened this issue Mar 28, 2018 · 3 comments
Labels
TLS

Comments

@zzq1015
Copy link

zzq1015 commented Mar 28, 2018
edited
Loading

https://github.com/openssl/openssl/blob/8eb399fb25a6ef68b2a9e8d34b242b9767c46abe/CHANGES#L20
Because of this change, we can no longer specify TLS 1.3 ciphers using the --ciphers switch.
In the latest build of OpenSSL, we can only use the -ciphersuites to change TLS 1.3 cipher orders, like this:

openssl ciphers -V -ciphersuites "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384" "DEFAULT"

I suggest adding a --tls13-ciphers switch to specify TLS1.3-only ciphers.
@bagder bagder added the TLS label Mar 28, 2018
@bagder
Copy link
Member

bagder commented Mar 28, 2018

Yes, it seems like we need to follow along here. The question is perhaps if we also should go with --ciphersuites instead of explicitly spelling out 1.3 in the name. Who knows, maybe a future TLS 1.4 can also use it?

@zzq1015
Copy link
Author

zzq1015 commented Apr 3, 2018
edited
Loading

No. We already have --ciphers switch. The new --ciphersuites will cause confusion for the users.
Spelling TLS 1.3 is kind of necessary and makes sense when TLS 1.4/2.0/whatever comes out. It simply means the cipher suites are for TLS 1.3 and above.

@bagder
Copy link
Member

bagder commented Apr 16, 2018

You up to writing a PR for this?

bagder added a commit that referenced this issue May 24, 2018
@bagder
setopt: add TLS 1.3 ciphersuites

Verified

This commit was signed with the committer’s verified signature. The key has expired.
mback2k Marc Hörsken
GPG key ID: 61E03CBED7BC859E
Expired
Verified
Learn about vigilant mode
b7319e1 
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
@bagder bagder mentioned this issue May 24, 2018
Closed
bagder added a commit that referenced this issue May 29, 2018
@bagder
setopt: add TLS 1.3 ciphersuites

Verified

This commit was signed with the committer’s verified signature. The key has expired.
mback2k Marc Hörsken
GPG key ID: 61E03CBED7BC859E
Expired
Verified
Learn about vigilant mode
f1351e0 
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
@bagder bagder closed this as completed in 050c93c May 29, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Aug 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bagder @zzq1015