[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 19 20:34:27 UTC 2018

> On Apr 19, 2018, at 4:24 PM, Salz, Rich <rsalz at akamai.com> wrote:
> Viktor found my comment offensive, which was not my intent.  I was trying to be light-hearted in commenting on how Viktor dismissed all the issues David raised.
> If, in doing so, I went beyond our code of conduct and offended, I am truly truly sorry.

Thanks.  Much appreciated...

Yes, there are other potential obstacles when enabling TLS 1.3 in applications not specifically designed for it.  Some substantial, others less so.

Without going into a length analysis, I think that most of the issues are minor, but authentication failure when an unexpected certificate appears with 1.3 that one would not see with 1.2 seems like a substantially more major hurdle, and one that sure seems avoidable.  I hope it will be looked at more closely and in the not too distant future deployed less broadly (if at all).


More information about the openssl-project mailing list