[openssl-users] Openssl 1.1 / TLS 1.3

Matt Caswell matt at openssl.org
Thu Feb 15 09:46:18 UTC 2018



On 14/02/18 17:28, Richard Moore wrote:
> 
> 
> On 14 February 2018 at 16:34, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>     On 14/02/18 16:27, Richard Moore wrote:
>     > If I run the following:
>     >
>     >  openssl-1.1.1pre1 ciphers -tls1_3 -v
> 
>     The man page says this about the "-tls1_3" option:
> 
>     "In combination with the B<-s> option, list the ciphers which would be
>     used if TLSv1.3 were negotiated."
> 
>     So you need to add "-s". If you do that then you only get the TLSv1.3
>     ciphers. It's a little strange that the option is ignored if no -s is
>     supplied (you might think supplying -tls1_3 would automatically imply
>     -s). But that is the way that all the -tls* options work, so this is
>     nothing new in 1.1.1.
> 
> 
> ​I see thanks. That's very confusing, but yeah it seems to be there
> since 1.1.0. How would you feel about that being the default? I'm a
> little bit unclear about what the point of the option is otherwise?

We're always a bit wary about changing the behaviour of command line app
options. It has a tendency to "bite" us in unexpected ways (where people
are relying on the behaviour being one way, and suddenly it changes). In
particular 1.1.1 is supposed to be completely compatible with 1.1.0.

Having said that its difficult to see what would break if we made it
that specifying one of those options implicitly sets "-s" too. Or
alternatively we could perhaps print a warning if you specify one of
these options without -s.

Matt



More information about the openssl-users mailing list