[openssl-project] When to enable TLS 1.3 (was: Google's SNI hurdle)
kurt at roeckx.be
Thu Apr 19 23:42:39 UTC 2018
On Thu, Apr 19, 2018 at 07:16:04PM -0400, Viktor Dukhovni wrote:
> But not all the friction can be eliminated, and likely not
> all providers can be persuaded to be more accommodating.
> Which leaves us with some difficult judgement calls:
> * Restrict TLS 1.3 support to just applications compiled
> against 1.1.1? A weak signal, but likely correlates at
> least somewhat with the application being ready.
Applications get rebuild for all sort of reasons, I don't actually
see this as a good signal at all.
> * Determine whether the application is likely to be compatible
> at runtime by looking at the provided configuration. Is SNI
> enabled? Is the certificate chain weird enough to break with
> TLS 1.3. Has the application turned off critical algorithms?
> * Do nothing, let the applications adapt or stick with older
I'm for keeping this as they are now. After the release some
things might break. Applications will adapt.
More information about the openssl-project