TLS 1.3 specific cipher list (OpenSSL)

[zzq1015]

https://github.com/openssl/openssl/blob/8eb399fb25a6ef68b2a9e8d34b242b9767c46abe/CHANGES#L20
Because of this change, we can no longer specify TLS 1.3 ciphers using the --ciphers switch.
In the latest build of OpenSSL, we can only use the -ciphersuites to change TLS 1.3 cipher orders, like this:

openssl ciphers -V -ciphersuites "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384" "DEFAULT"

I suggest adding a --tls13-ciphers switch to specify TLS1.3-only ciphers.

[bagder]

Yes, it seems like we need to follow along here. The question is perhaps if we also should go with --ciphersuites instead of explicitly spelling out 1.3 in the name. Who knows, maybe a future TLS 1.4 can also use it?

[zzq1015]

No. We already have --ciphers switch. The new --ciphersuites will cause confusion for the users.
Spelling TLS 1.3 is kind of necessary and makes sense when TLS 1.4/2.0/whatever comes out. It simply means the cipher suites are for TLS 1.3 and above.

[bagder]

You up to writing a PR for this?