[openssl-project] When to enable TLS 1.3 (was: Google's SNI hurdle)

Kurt Roeckx kurt at roeckx.be
Thu Apr 19 23:42:39 UTC 2018

On Thu, Apr 19, 2018 at 07:16:04PM -0400, Viktor Dukhovni wrote:
> But not all the friction can be eliminated, and likely not
> all providers can be persuaded to be more accommodating.
> Which leaves us with some difficult judgement calls:
>   * Restrict TLS 1.3 support to just applications compiled
>     against 1.1.1?  A weak signal, but likely correlates at
>     least somewhat with the application being ready.

Applications get rebuild for all sort of reasons, I don't actually
see this as a good signal at all.

>   * Determine whether the application is likely to be compatible
>     at runtime by looking at the provided configuration.  Is SNI
>     enabled?  Is the certificate chain weird enough to break with
>     TLS 1.3.  Has the application turned off critical algorithms?
>   * Do nothing, let the applications adapt or stick with older
>     libraries?

I'm for keeping this as they are now. After the release some
things might break. Applications will adapt.


More information about the openssl-project mailing list