[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 19 18:37:38 UTC 2018

> On Apr 19, 2018, at 1:31 PM, David Benjamin <davidben at google.com> wrote:
> Consider a caller using a PKCS#1-only ENGINE-backed private key. PKCS#1 does not work in TLS 1.3, only PSS.

That's a local matter, and easy to resolve locally.

> Consider a caller which calls SSL_renegotiate.

Ditto.  And sufficiently uncommon to not worry about.

> A client which expects the session to be available immediately after the handshake will also break.

Sessions are not always offered by the server, clients already have to deal with this.

> Or someone who listens to the message callback.

Not worth worrying about.

> Or someone who only installed CBC-mode ciphers in initialization.

Not a problem, OpenSSL 1.1.1 has separate cipher controls for TLS 1.3

> Or just someone who calls SSL_version and checks that it is TLS1_2_VERSION.

They can set the max version. ...

The above are local edge cases.  The SNI interoperability trap is random damage imposed by apparently capricious remote servers.  I plead you reconsider this *particular* additional hoop for TLS 1.3 clients to jump through, just do whatever you did with TLS 1.2.  If TLS 1.2 failed with SNI, fine do the same with TLS 1.3, if not then return the same chain.


More information about the openssl-project mailing list