Mailing List Archive

TLS 1.3
Hi,

when TLS 1.3 is released, will Exim automatically able to use it if
openssl supports it ?

Do we have to make config changes to prefer 1.3 over 1.2 ( just in case
;) ) ?

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: TLS 1.3 [ In reply to ]
On 3/7/18 10:13 AM, Cyborg via Exim-users wrote:
> Hi,
>
> when TLS 1.3 is released, will Exim automatically able to use it if
> openssl supports it ?
>
> Do we have to make config changes to prefer 1.3 over 1.2 ( just in case
> ;) ) ?
>
> best regards,
> Marius
>
Hi,
if you want to use openssl you just have to add some TLSv1.3 Ciphers to
the tls_require_ciphers.
It must be TLS13-AES-128-GCM-SHA256 (openssl writing of the cipher)

See the RFC details:
9.1. Mandatory-to-Implement Cipher Suites

In the absence of an application profile standard specifying
otherwise, a TLS-compliant application MUST implement the
TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the
TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256
[RFC7539] cipher suites. (see Appendix B.4)


If you miss to add one of these ciphers TLS connections with TLS1.3 will
fail.
When TLSv1.3 is available it will be automatically preferred.

Already tested and running with OpenSSL 1.1.1-pre2-dev.
Cheers


--
Torsten

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: TLS 1.3 [ In reply to ]
> On Mar 7, 2018, at 4:49 AM, Torsten Tributh via Exim-users <exim-users@exim.org> wrote:
>
> Hi,
> if you want to use openssl you just have to add some TLSv1.3 Ciphers to
> the tls_require_ciphers.
> It must be TLS13-AES-128-GCM-SHA256 (openssl writing of the cipher)
>
> See the RFC details:
> 9.1. Mandatory-to-Implement Cipher Suites
>
> In the absence of an application profile standard specifying
> otherwise, a TLS-compliant application MUST implement the
> TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the
> TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256
> [RFC7539] cipher suites. (see Appendix B.4)
>
>
> If you miss to add one of these ciphers TLS connections with TLS1.3 will
> fail.
> When TLSv1.3 is available it will be automatically preferred.
>
> Already tested and running with OpenSSL 1.1.1-pre2-dev.

This may change, there's a high probability that TLS 1.3 ciphers will be
controlled via a separate interface, and will be on by default. Therefore,
initially Exim will not be able to disable or customize the standard TLS
1.3 ciphers, but they're all fine, so this is likely mostly for the better.

Later, Exim can add support to also manage TLS 1.3 ciphers (if desired).

Stay tuned.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/