[openssl-users] is there an API to list all the TLS 1.3 cipher suite names?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 9 04:21:59 UTC 2019
On Wed, Jan 09, 2019 at 04:16:05AM +0000, Jordan Brown wrote:
> > You could just provide a free-form emergency string parameter that
> > users are advised to not change unless some major advance makes it
> > necessary. At that time, advice can be published as to what the
> > override setting should be.
>
> That doesn't sound like a 21st century user interface.
How do you plan to offer a built-in menu of algorithms that have
not yet been added to OpenSSL? And if users are better off leaving
the list alone, why encourage that with a fancy UI?
> However, as I think about it, I remember that we already need a
> softcoded list of algorithms, to avoid offering (e.g.) the PSK
> algorithms.
In TLS 1.3, the handshake parameters are configured separately from
the cipherlist. The use of (non-resumption) PSKs requires callbacks,
so they're never enabled out of the box.
> It sounds like TLS 1.3 will need the same.
Actually, it won't, nor did earlier versions, the ciphers were
listed by "openssl ciphers -v", but they can't get activated without
application support.
--
Viktor.
More information about the openssl-users
mailing list