From 0c3807a8165cbc982f330831a429571f2ff7beec Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 20 Jun 2018 20:28:54 +0100 Subject: [PATCH] OpenSSL: TLSv1.3 notes --- doc/doc-docbook/spec.xfpt | 17 ++++++++++++++++- src/src/tls-openssl.c | 4 ++++ test/runtest | 7 ++++++- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 7ae09cfbe..daaf0032c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27417,7 +27417,10 @@ the size of the generated prime, so it might still be too large. .oindex "&%tls_require_ciphers%&" "OpenSSL" There is a function in the OpenSSL library that can be passed a list of cipher suites before the cipher negotiation takes place. This specifies which ciphers -are acceptable. The list is colon separated and may contain names like +.new +are acceptable for TLS versions prior to 1.3. +.wen +The list is colon separated and may contain names like DES-CBC3-SHA. Exim passes the expanded value of &%tls_require_ciphers%& directly to this function call. Many systems will install the OpenSSL manual-pages, so you may have @@ -27482,6 +27485,18 @@ This example will prefer ECDSA-authenticated ciphers over RSA ones: tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT .endd +.new +For TLS version 1.3 the control available is less fine-grained +and Exim does not provide access to it at present. +The value of the &%tls_require_ciphers%& option is ignored when +TLS version 1.3 is negociated. + +As of writing the library default cipher suite list for TLSv1.3 is +.code +TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +.endd +.wen + .section "Requiring specific ciphers or other parameters in GnuTLS" &&& "SECTreqciphgnu" diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7e6524dbd..e7bba0221 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1999,6 +1999,10 @@ if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr) /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they were historically separated by underscores. So that I can use either form in my tests, and also for general convenience, we turn underscores into hyphens here. + +XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites() +for TLS 1.3 . Since we do not call it at present we get the default list: +TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 */ if (expciphers) diff --git a/test/runtest b/test/runtest index 0dc3cca73..a35796c2c 100755 --- a/test/runtest +++ b/test/runtest @@ -544,6 +544,7 @@ RESET_AFTER_EXTRA_LINE_READ: # TLSv1.1:AES256-SHA:256 # TLSv1.2:AES256-GCM-SHA384:256 # TLSv1.2:DHE-RSA-AES256-SHA:256 + # TLSv1.3:TLS_AES_256_GCM_SHA384:256 # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 # We also need to handle the ciphersuite without the TLS part present, for # client-ssl's output. We also see some older forced ciphersuites, but @@ -553,10 +554,14 @@ RESET_AFTER_EXTRA_LINE_READ: # # Retain the authentication algorith field as we want to test that. - s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg; + s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[123]:/$1TLSv1:/xg; s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHA/g; s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g; + # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now, + # as it seems the protocol no longer supports a user choice. + s/TLS_AES(_256)_GCM_SHA384:256/TLS-AES256-SHA:xxx/g; + # LibreSSL # TLSv1:AES256-GCM-SHA384:256 # TLSv1:ECDHE-RSA-CHACHA20-POLY1305:256 -- 2.39.5