[openssl-users] Call for testing TLS 1.3

Jouni Malinen j at w1.fi
Mon May 28 12:28:13 UTC 2018


On Sun, Apr 29, 2018 at 12:43:26PM +0200, Kurt Roeckx wrote:
> We are considering if we should enable TLS 1.3 by default or not,
> or when it should be enabled. For that, we would like to know how
> applications behave with the latest beta release.

It looks like couple of TLS 1.3 changes result in breaking functionality
for various EAP methods that are based on TLS unless significant changes
in both the EAP method definition and implementations are done before
enabling the new TLS version. This seems to have an impact to at least
EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST.

As far as wpa_supplicant (EAP peer) and hostapd (EAP server)
implementations are concerned, I've prepared changes to make EAP-TLS
work with TLS 1.3, but the other EAP methods are still failing for
various known (and to some extend, unknown) issues. Anyway, I'm
currently explicitly disabling TLS 1.3 support with OpenSSL by default
in these application due to these issues and the expected
interoperability issues and as such, the OpenSSL 1.1.1 release default
behavior regarding TLS 1.3 support should not have impact for these
applications. That said, other EAP implementations may want to do
something similar or face possibility of breaking functionality if
OpenSSL 1.1.1 does go out with TLS 1.3 enabled by default and both ends
of the EAP connection have TLS 1.3 enabled.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the openssl-users mailing list