Welcome! Log In Create A New Profile

Advanced

Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

Posted by Emeric Brun 
Hi All,

FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
in your cipher list.

https://github.com/openssl/openssl/issues/5057

https://github.com/openssl/openssl/issues/5065

Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.

R,
Emeric
On 12/01/2018 03:57 μμ, Emeric Brun wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
> in your cipher list.
>
> https://github.com/openssl/openssl/issues/5057
>
> https://github.com/openssl/openssl/issues/5065
>
> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.
>
> R,
> Emeric
>


So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support
TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we
have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this
doesn't sound right and I am pretty sure I am completely wrong here.

Cheers,
Pavlos
The way I read it you just have to be sure to specify a valid tls 1.3 cipher. I have not attempted the configuration though to confirm.

Sent from Ninehttp://www.9folders.com/
________________________________
From: Pavlos Parissis <[email protected]>
Sent: Friday, January 12, 2018 4:55 PM
To: Emeric Brun; haproxy@formilux.org
Subject: Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1..1.1) could break handshakes for all protocol versions .

On 12/01/2018 03:57 μμ, Emeric Brun wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
> in your cipher list.
>
> https://github.com/openssl/openssl/issues/5057
>
> https://github.com/openssl/openssl/issues/5065
>
> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.
>
> R,
> Emeric
>


So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support
TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we
have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this
doesn't sound right and I am pretty sure I am completely wrong here.

Cheers,
Pavlos



________________________________

Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.
HI Pavlos,


On 12/01/2018 22:53, Pavlos Parissis wrote:
> On 12/01/2018 03:57 μμ, Emeric Brun wrote:
>> Hi All,
>>
>> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
>> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
>> in your cipher list.
>>
>> https://github.com/openssl/openssl/issues/5057
>>
>> https://github.com/openssl/openssl/issues/5065
>>
>> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.
>>
>> R,
>> Emeric
>>
>
> So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support
> TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we
> have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this
> doesn't sound right and I am pretty sure I am completely wrong here.
>
> Cheers,
> Pavlos
>
>

Not exactly, the moment you force a cipher list that does not include a
TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
handshake will break regardless of what is in the Client hello.

--
Moemen MHEDHBI
On 13/01/2018 01:22 μμ, Moemen MHEDHBI wrote:
> HI Pavlos,
>
>
> On 12/01/2018 22:53, Pavlos Parissis wrote:
>> On 12/01/2018 03:57 μμ, Emeric Brun wrote:
>>> Hi All,
>>>
>>> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
>>> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
>>> in your cipher list.
>>>
>>> https://github.com/openssl/openssl/issues/5057
>>>
>>> https://github.com/openssl/openssl/issues/5065
>>>
>>> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.
>>>
>>> R,
>>> Emeric
>>>
>>
>> So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then client must support
>> TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I hope I'm not, then we
>> have to wait for all clients to support TLSv1.3 before we enabled it on the server side, this
>> doesn't sound right and I am pretty sure I am completely wrong here.
>>
>> Cheers,
>> Pavlos
>>
>>
>
> Not exactly, the moment you force a cipher list that does not include a
> TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
> handshake will break regardless of what is in the Client hello.
>

But, can we have TLSv3 enabled on server side and still accept TLSv2 sessions?

Cheers,
Pavlos
Hello,


On 13 January 2018 at 15:17, Pavlos Parissis <[email protected]> wrote:
>> Not exactly, the moment you force a cipher list that does not include a
>> TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
>> handshake will break regardless of what is in the Client hello.
>>
>
> But, can we have TLSv3 enabled on server side and still accept TLSv2 sessions?

Only if your cipher-list contains TLSv1.3 ciphers, otherwise nothing
will work (regardless of the TLS version).

OpenSSL really goes the extra mile to make everyone's life miserable.


Lukas
On 13/01/2018 04:22 μμ, Lukas Tribus wrote:
> Hello,
>
>
> On 13 January 2018 at 15:17, Pavlos Parissis <[email protected]> wrote:
>>> Not exactly, the moment you force a cipher list that does not include a
>>> TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
>>> handshake will break regardless of what is in the Client hello.
>>>
>>
>> But, can we have TLSv3 enabled on server side and still accept TLSv2 sessions?
>
> Only if your cipher-list contains TLSv1.3 ciphers, otherwise nothing
> will work (regardless of the TLS version).
>

and all those ciphers are supported by all recent browsers, right ?

> OpenSSL really goes the extra mile to make everyone's life miserable.
>
>

Is this the result of the implementation or of the TLSv1.3 design ?


Cheers,
Pavlos
Hello,


On 13 January 2018 at 20:57, Pavlos Parissis <[email protected]> wrote:
> On 13/01/2018 04:22 μμ, Lukas Tribus wrote:
>> Hello,
>>
>>
>> On 13 January 2018 at 15:17, Pavlos Parissis <[email protected]> wrote:
>>>> Not exactly, the moment you force a cipher list that does not include a
>>>> TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
>>>> handshake will break regardless of what is in the Client hello.
>>>>
>>>
>>> But, can we have TLSv3 enabled on server side and still accept TLSv2 sessions?
>>
>> Only if your cipher-list contains TLSv1.3 ciphers, otherwise nothing
>> will work (regardless of the TLS version).
>>
>
> and all those ciphers are supported by all recent browsers, right ?

That's not the point, you can always specify old ciphers as well. It's
just that you MUST specify at least 1 TLSv1.3 cipher (for any TLS
version to work).



>> OpenSSL really goes the extra mile to make everyone's life miserable.
>
> Is this the result of the implementation or of the TLSv1.3 design ?

TLSv1.3 is fine, the discussion in the IETF working-group has lots of
participants and the process works.

The OpenSSL implementation (and especially the API) is decided by a
small number of people, they have (rightfully so) their own opinions,
but I also don't see them receptive of different opinions.


That's why Google forked it and why other are switching to that fork:
https://blog.cloudflare.com/make-ssl-boring-again/


But abandoning OpenSSL for a fork like BoringSSL brings their own
problems, it's certainly not a change at the push of a button.


Lukas
Hello Emeric,


On 12 January 2018 at 15:57, Emeric Brun <[email protected]> wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3
> in your cipher list.
>
> https://github.com/openssl/openssl/issues/5057
>
> https://github.com/openssl/openssl/issues/5065
>
> Openssl's team doesn't seem to consider this as an issue and I'm just bored to discuss with them.


FYI OpenSSL did a 180 on this, they are implemented a new API call to
set TLSv1.3 ciphers and enable them by default:

https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html



cheers,
lukas
Hi Lukas,

>
> FYI OpenSSL did a 180 on this, they are implemented a new API call to
> set TLSv1.3 ciphers and enable them by default:
>
> https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0
>
> https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
>

Seems a good news. Thank you Lukas!

>
> cheers,
> lukas
>

Emeric
Sorry, only registered users may post in this forum.

Click here to login