Using TLSv1.3

You are viewing an old version of this article. View the current version here.

OpenSSL 1.1.1 introduced support for TLSv1.3. TLSv1.3 is a major rewrite of the protocol (according to this OpenSSL blog post some argued it should've been called TLSv2.0). In particular, it introduces a new incompatible set of ciphersuites that only work with TLSv1.3, and it cannot work with old ciphersuites.

This means that by specifying ciphers to use one can not only disable old and obsolete TLS versions (which was always the point), but also (unintentionally) prevent the newest TLSv1.3 from working. And after upgrading to OpenSSL 1.1.1 users might believe they are safe and secure using TLSv1.3, while in fact existing configuration files might be preventing it.

To avoid users having this false sense security, OpenSSL developers decided that TLSv1.3 ciphers should not be affected by the normal cipher-selecting API. You can read the detailed discission in GitHub. This means that --ssl-cipher option does not affect TLSv1.3 ciphers and cannot disable of enable TLSv1.3.

Comments

Comments loading...

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.

Using TLSv1.3

Comments

Products

Services

Pricing

Resources

About Us

Download MariaDB