Relationship between TLS 1.3 ciphers and earlier ciphers
Jordan Brown
openssl at jordan.maileater.net
Fri May 26 20:29:26 UTC 2023
On 5/26/2023 12:47 PM, Michael Wojcik via openssl-users wrote:
> I'm sure people can make reasonable arguments for presenting a
> combined list to end users, and then programmatically separating that
> into the two collections.
My hope would be that we wouldn't *need* to separate them, that we could
just have one list. But maybe I'm spending more effort attempting to
achieve that simplification than it's worth.
Mostly I am not *too* concerned about usability here. I regard this as
an escape hatch. 98% of the time the defaults we supply will be fine.
1% of the time it will be necessary to loosen them for interoperability
with older equipment. 1% of the time it will be necessary to tighten
them to disallow some compromised algorithm, or for some policy reason.
These are not personal preference items where users can be expected to
select random combinations and expect them to work - my only goal there
is that selecting a bad combination must not fail stupidly.
Other than intellectual curiosity as to why a single unified list is a
bad idea, I think I've gotten the answer I needed: the fact that the
"ciphersuites" functions accept and process TLS 1.2 ciphers is an
accident that we should not rely on.
--
Jordan Brown, Oracle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230526/1095575b/attachment-0001.htm>
More information about the openssl-users
mailing list