Contents

  1. See Also

OpenSSL 1.1.1 introduced support for TLSv1.3. TLSv1.3 is a major rewrite of the protocol (according to this OpenSSL blog post some even argued it should've been called TLSv2.0). In particular, it introduces a new incompatible set of ciphersuites that only work with TLSv1.3, and it cannot work with old ciphersuites.

This means that by specifying ciphers to use one can not only disable old and obsolete TLS versions (which was always the point), but also (unintentionally) prevent the newest TLSv1.3 from working. And after upgrading to OpenSSL 1.1.1 users might believe they are safe and secure using TLSv1.3, while in fact existing configuration files might be preventing it.

To avoid users having this false sense of security, OpenSSL developers decided that TLSv1.3 ciphers should not be affected by the normal cipher-selecting API. You can read the detailed discussion in GitHub. This means that --ssl-cipher option does not affect TLSv1.3 ciphers and cannot disable or enable TLSv1.3.

See Also

Comments

Comments loading...