TLS 1.3 migration: SSL_set_cipher_list vs SSL_set_ciphersuites and "aliases" of families of cipher like TLSv1.3
Salz, Rich
rsalz at akamai.com
Wed Apr 1 13:19:09 UTC 2020
> - Do you think any use for supporting some kind of alias for families of cipher in SSL_set_ciphersuites, like for example "TLSv1.3"
Suppose someone finds out that chacha/poly is insecure and the IETF issues a new RFC that says "TLS 1.3 MUST NOT use" that cipher. Should the openssl alias change?
It can be wordy, but explicitly listing ciphers and not using aliases (HIGH EXPORT etc) is really better.
As for ease of use, just don't allow the ciphers to be configured.
More information about the openssl-users
mailing list