mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
372 stars 60 forks source link

[Epic] OpenSSL 3.x compatibility #260

Open janbrasna opened 1 month ago

janbrasna commented 1 month ago

This is a meta issue tracking known and unknown limitations in adding support for OpenSSL 3.x changes across the existing recommendations and current configs.

### Config compatibility
- [ ] https://github.com/mozilla/ssl-config-generator/issues/188
- [ ] https://github.com/mozilla/ssl-config-generator/pull/256
- [ ] https://github.com/mozilla/ssl-config-generator/issues/125
- [ ] https://github.com/mozilla/ssl-config-generator/issues/238
- [ ] https://github.com/mozilla/ssl-config-generator/pull/263
- [ ] #270
- [ ] ^^ Restrict RFC7919 negotiated FFDHE groups? (now enabled in TLSv1.3) see #162
gstrauss commented 1 month ago

Please see PR #256

janbrasna commented 2 weeks ago

I'm thinking whether any additions to support https://github.com/mozilla/server-side-tls/issues/286 shouldn't be made there too, to perhaps document the OpenSSL 3.x compatibility changes being introduced here also in the upstream wiki guidelines. (At least document the SECLEVEL change for old, potential more RFC7919 groups negotiated, etc.)