Difficulty in understanding TLS1.3 APIs in OpenSSL 1.1.1

Matt Caswell matt at openssl.org
Mon May 27 10:11:44 UTC 2019

On 27/05/2019 10:26, Raja Ashok wrote:
> Hi All,
> I feel like some TLS 1.3 configuration APIs in OpenSSL 1.1.1 are uncomfortable
> in using it. 
> *1) Configuring Cipher Suit:* There is a new API for configuring TLS1.3 cipher
> suite, which is /SSL_set_ciphersuites()/. But calling
> only /SSL_set_ciphersuites()/ does not work. Need to call old
> API /SSL_set_cipher_list()/ first and then   /SSL_set_ciphersuites()/.

Hmmm...this shouldn't be the case. Order shouldn't be important. If you are
experiencing that it sounds like a possible bug.

> *2) Configuring supported groups and temp ECDHE:* Configuring temp ECDHE using
> /SSL_set_tmp_ECDH()/ configures the corresponding curve ID as supported groups.
> So calling first /SSL_set1_groups()/ and then calling/SSL_set_tmp_ECDH()/ resets
> the configured groups using /SSL_set1_groups()/.

SSL_set_tmp_ECDH() is the old way of doing things (we should probably deprecate
this). You shouldn't need to call this at all. Just use SSL_set1_groups.


More information about the openssl-users mailing list