Closed wufanqqfsc closed 2 months ago
cc @RyanTheOptimist
From the BoringSSL docs:
// TLS 1.3 ciphers do not participate in this mechanism and instead have a
// built-in preference order. Functions to set cipher lists do not affect TLS
// 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers.
I don't believe there's a way to configure boringssl to use a non-default set of cipher suites for TLSv1.3.
Correct, TLSv1.3 has mandated a set of ciphers as part of the protocol version. There is only one recommended cipher (CHACHA20-based one, non-FIPS compliant) that can possibly be adjusted.
ok, thanks very much . Seems we have to turn to using the openssl version Envoy for these limitation of BoringSSL.
Title: cipher_suites for TLSv1_3
Description:
cipher_suites (repeated string) If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). So is there any way for us to setting the cipher_suites for TLSv1_3 right now ? or we need self-extension a new parameter ? @ggreenway