Incorrect setting of ciphersuites for TLSv1.3

pocoproject / poco

The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.

https://pocoproject.org

Other

8.43k stars 2.17k forks source link

Incorrect setting of ciphersuites for TLSv1.3 #4610

Open afshinpir opened 3 months ago

afshinpir commented 3 months ago

Hi all,

In OpenSSL version of NetSSL, you are using SSL_CTX_set_cipher_list method to set cipher list: https://github.com/pocoproject/poco/blob/1edabc19d8ed70362f764b2bfc25efc297f617e8/NetSSL_OpenSSL/src/Context.cpp#L192 But the point is that this method only affects TLSv1.2 and below, and for TLSv1.3 you need to use SSL_CTX_set_ciphersuites() method based on OpenSSL documentation here: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html

micheleselea commented 3 months ago

You are right @afshinpir the point is that probably we need a new cipherList_TLS1.3 params because the two configuration are completely different. The default value for 1.3 is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"