Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

Raja Ashok rashok.svks at gmail.com
Mon May 27 09:26:34 UTC 2019

Hi All,

I feel like some TLS 1.3 configuration APIs in OpenSSL 1.1.1 are
uncomfortable in using it.

*1) Configuring Cipher Suit:* There is a new API for configuring TLS1.3
cipher suite, which is *SSL_set_ciphersuites()*. But calling only
*SSL_set_ciphersuites()* does not work. Need to call old API
*SSL_set_cipher_list()* first and then   *SSL_set_ciphersuites()*.

*2) Configuring supported groups and temp ECDHE:* Configuring temp ECDHE
using *SSL_set_tmp_ECDH()* configures the corresponding curve ID as
supported groups. So calling first *SSL_set1_groups()* and then calling*
SSL_set_tmp_ECDH()* resets the configured groups using *SSL_set1_groups()*.

I feel the configuration APIs introduced in TLS1.3 are little confusing and
it should be used in certain order to achieve the required configuration.

Can some one try to clarify me these API behaviours or is my understanding
of using these API is incorrect ?

R Ashok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190527/eff854ed/attachment.html>

More information about the openssl-users mailing list