[openssl-project] When to enable TLS 1.3

Kurt Roeckx kurt at roeckx.be
Sat Apr 21 18:42:02 UTC 2018

On Sat, Apr 21, 2018 at 05:19:31PM +0200, Kurt Roeckx wrote:
> On Fri, Apr 20, 2018 at 10:16:55AM +0100, Matt Caswell wrote:
> > On 20/04/18 09:11, Kurt Roeckx wrote:
> > > On Fri, Apr 20, 2018 at 09:11:39AM +0200, Kurt Roeckx wrote:
> > >>
> > >> Maybe we can convert the blog post into a wiki, update it to the
> > >> current status, and point people to that.
> > > 
> > > I've converted to blog to the wiki:
> > > https://wiki.openssl.org/index.php/TLS1.3
> > > 
> > > I've made some minor changes, it could use better formatting, and
> > > at least the section about ciphersuites is outdated.
> > 
> > I have updated the ciphersuites section and fixed the man page links, as
> > well as a few other content tweaks here and there.
> Thanks.
> So should we send out some call for testing? Does someone want to
> write a draft message?

Here is some attempt:

The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
1.3 brings a lot of changes that might cause incompatibility. For
an overview see https://wiki.openssl.org/index.php/TLS1.3

We are considering if we should enable TLS 1.3 by default or not,
or when it should be enabled. For that, we would like to know how
applications behave with the current version.

When testing this, it's important that both sides of the
connection support the same TLS 1.3 draft version. OpenSSL
currently implements draft 26. We would like to see tests
for OpenSSL acting as client and server.

https://github.com/tlswg/tls13-spec/wiki/Implementations lists
other TLS 1.3 implementations and the draft they currently
support. Note that the versions listed there might not be for the
latest release. It also lists some https test servers.

We would really like to see a diveerse set of applictions being
tested. Please report any results you have to us.


More information about the openssl-project mailing list