[openssl-project] When to enable TLS 1.3 (was: Google's SNI hurdle)
Kurt Roeckx
kurt at roeckx.be
Thu Apr 19 23:42:39 UTC 2018
On Thu, Apr 19, 2018 at 07:16:04PM -0400, Viktor Dukhovni wrote:
>
> But not all the friction can be eliminated, and likely not
> all providers can be persuaded to be more accommodating.
> Which leaves us with some difficult judgement calls:
>
> * Restrict TLS 1.3 support to just applications compiled
> against 1.1.1? A weak signal, but likely correlates at
> least somewhat with the application being ready.
Applications get rebuild for all sort of reasons, I don't actually
see this as a good signal at all.
> * Determine whether the application is likely to be compatible
> at runtime by looking at the provided configuration. Is SNI
> enabled? Is the certificate chain weird enough to break with
> TLS 1.3. Has the application turned off critical algorithms?
>
> * Do nothing, let the applications adapt or stick with older
> libraries?
I'm for keeping this as they are now. After the release some
things might break. Applications will adapt.
Kurt
More information about the openssl-project
mailing list