[openssl-users] Call for testing TLS 1.3
Benjamin Kaduk
bkaduk at akamai.com
Tue May 29 18:46:26 UTC 2018
(For those who are not Jouni, there is some spec work needed for
TLS 1.3/EAP integration as well, occurring in the IETF EMU working group.
I assume Jouni is on the mailing list and knows this already)
-Ben
On Mon, May 28, 2018 at 03:28:13PM +0300, Jouni Malinen wrote:
> On Sun, Apr 29, 2018 at 12:43:26PM +0200, Kurt Roeckx wrote:
> > We are considering if we should enable TLS 1.3 by default or not,
> > or when it should be enabled. For that, we would like to know how
> > applications behave with the latest beta release.
>
> It looks like couple of TLS 1.3 changes result in breaking functionality
> for various EAP methods that are based on TLS unless significant changes
> in both the EAP method definition and implementations are done before
> enabling the new TLS version. This seems to have an impact to at least
> EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST.
>
> As far as wpa_supplicant (EAP peer) and hostapd (EAP server)
> implementations are concerned, I've prepared changes to make EAP-TLS
> work with TLS 1.3, but the other EAP methods are still failing for
> various known (and to some extend, unknown) issues. Anyway, I'm
> currently explicitly disabling TLS 1.3 support with OpenSSL by default
> in these application due to these issues and the expected
> interoperability issues and as such, the OpenSSL 1.1.1 release default
> behavior regarding TLS 1.3 support should not have impact for these
> applications. That said, other EAP implementations may want to do
> something similar or face possibility of breaking functionality if
> OpenSSL 1.1.1 does go out with TLS 1.3 enabled by default and both ends
> of the EAP connection have TLS 1.3 enabled.
>
> --
> Jouni Malinen PGP id EFC895FA
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list