https://wiki.openssl.org/api.php?action=feedcontributions&feedformat=atom&user=KurtOpenSSLWiki - User contributions [en]2026-05-12T13:59:44ZUser contributionsMediaWiki 1.35.13https://wiki.openssl.org/index.php?title=TLS1.3&diff=2729TLS1.32018-10-07T16:47:40Z<p>Kurt: /* Non-application data records */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
Applications should use the SSL_CTX_set_ciphersuites() or SSL_set_ciphersuites() functions to configure TLSv1.3 ciphersuites. Note that the functions SSL_CTX_get_ciphers() and SSL_get_ciphers() will return<br />
the full list of ciphersuites that have been configured for both TLSv1.2 and below and TLSv1.3.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
If a client sends it's data and directly sends the close notify request and closes the connection, the server will still try to send tickets if configured to do so. Since the connection is already closed by the client, this might result in a write error and receiving the SIGPIPE signal. The write error will be ignored if it's a session ticket. But server applications can still get SIGPIPE they didn't get before.<br />
<br />
If the server sends session tickets and you want to be able to get a resumable session, you need to either call SSL_read() after the ticket was sent or do a 2 way shutdown.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2722TLS1.32018-09-05T20:58:47Z<p>Kurt: /* Sessions */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
If a client sends it's data and directly sends the close notify request and closes the connection, the server will still try to send tickets if configured to do so. Since the connection is already closed by the client, this might result in a write error and receiving the SIGPIPE signal. The write error will be ignored if it's a session ticket. But server applications can still get SIGPIPE they didn't get before.<br />
<br />
If the server sends session tickets and you want to be able to get a resumable session, you need to either call SSL_read() after the ticket was sent or do a 2 way shutdown.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2721TLS1.32018-09-05T20:50:16Z<p>Kurt: /* Sessions */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
If a client sends it's data and directly sends the close notify request and closes the connection, the server will still try to send tickets if configured to do so. Since the connection is already closed by the client, this might result in a write error and receiving the SIGPIPE signal. The write error will be ignored if it's a session ticket. But server applications can still get SIGPIPE they didn't get before.<br />
<br />
To be able to get a resumable session, you need to either call SSL_read() or do 2 way shutdown.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2720TLS1.32018-09-05T20:04:45Z<p>Kurt: /* Sessions */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
If a client sends it's data and directly sends the close notify request and closes the connection, the server will still try to send tickets if configured to do so. Since the connection is already closed by the client, this might result in a write error and receiving the SIGPIPE signal. The write error will be ignored if it's a session ticket. But server applications can still get SIGPIPE they didn't get before.<br />
<br />
In TLS 1.2 and earlier, sending data, sending the close notify and closing the connection without reading anything or waiting for the close notify from the peer still created a resumable session. Since the session ticket is send after the negotiation in TLS 1.3, you need to make sure that the session ticket message from the server is processed by either calling SSL_read() or doing a 2 way shut shutdown.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2718TLS1.32018-08-26T19:54:58Z<p>Kurt: </p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/manmaster/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
An OpenSSL client will only process received sessions when they attempt to read application data. During the read if a session ticket message is encountered then it will be automatically processed. A consequence of this is that if a client application never attempts to read data from the server then it will never receive a session and hence resumption will not be possible. For that reason, if session resumption is required, then it is recommended that clients always perform at least one read between establishing and shutting down a connection.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2717TLS1.32018-08-26T19:51:51Z<p>Kurt: /* Sessions */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the [https://www.openssl.org/docs/man1.1.1/man3/SSL_get1_session.html SSL_get1_session()] function (or similar).<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_remove_session.html SSL_CTX_remove_session()] to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session(). Calling SSL_get1_session() after a 2 way shutdown will give a resumable session if any was sent. You can check that a session is resumable with [https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_is_resumable.html SSL_SESSION_is_resumable()].<br />
<br />
Client application developers should consider using the [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_new_cb.html SSL_CTX_sess_set_new_cb()] API instead. This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. The number of tickets can be set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html SSL_CTX_set_num_tickets]. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
An OpenSSL client will only process received sessions when they attempt to read application data. During the read if a session ticket message is encountered then it will be automatically processed. A consequence of this is that if a client application never attempts to read data from the server then it will never receive a session and hence resumption will not be possible. For that reason, if session resumption is required, then it is recommended that clients always perform at least one read between establishing and shutting down a connection.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2716TLS1.32018-08-26T11:28:20Z<p>Kurt: /* Non-application data records */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the SSL_get1_session() function (or similar). See [https://www.openssl.org/docs/man1.1.1/man3/SSL_get1_session.html here] for further details.<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session().<br />
<br />
Client application developers should consider using the SSL_CTX_sess_set_new_cb() API instead (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_new_cb.html here]). This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
An OpenSSL client will only process received sessions when they attempt to read application data. During the read if a session ticket message is encountered then it will be automatically processed. A consequence of this is that if a client application never attempts to read data from the server then it will never receive a session and hence resumption will not be possible. For that reason, if session resumption is required, then it is recommended that clients always perform at least one read between establishing and shutting down a connection.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket and possibly a key update is send after the finished message. With TLSv1.2 it happened in case of renegotiation. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2715TLS1.32018-08-26T10:48:30Z<p>Kurt: Add section about non-application data</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
The TLSv1.3 standard has now been published as [[https://tools.ietf.org/html/rfc8446 RFC 8446]]. During the development of the standard the TLS Working Group published various draft versions. Implementations of draft versions of the standard identify the specific draft version that they are using. This means that implementations based on different draft versions, and also the final RFC version, do not interoperate with each other.<br />
<br />
The OpenSSL git master branch (and the 1.1.1-pre9 beta version) contain our development TLSv1.3 code which is based on the final version of RFC8446 and can be used for testing purposes (i.e. it is not for production use). Earlier beta versions of OpenSSL 1.1.1 implemented draft versions of the standard. Those versions contained the macro TLS1_3_VERSION_DRAFT_TXT in the tls1.h header file which identified the specific draft version that was implemented. This macro has been removed from 1.1.1-pre9 and the current master branch.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Although the latest 1.1.1 versions support the final standard version, other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS_AES_256_GCM_SHA384<br />
* TLS_CHACHA20_POLY1305_SHA256<br />
* TLS_AES_128_GCM_SHA256<br />
* TLS_AES_128_CCM_8_SHA256<br />
* TLS_AES_128_CCM_SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the SSL_get1_session() function (or similar). See [https://www.openssl.org/docs/man1.1.1/man3/SSL_get1_session.html here] for further details.<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce single use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session().<br />
<br />
Client application developers should consider using the SSL_CTX_sess_set_new_cb() API instead (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_new_cb.html here]). This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in previous versions of OpenSSL. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
An OpenSSL client will only process received sessions when they attempt to read application data. During the read if a session ticket message is encountered then it will be automatically processed. A consequence of this is that if a client application never attempts to read data from the server then it will never receive a session and hence resumption will not be possible. For that reason, if session resumption is required, then it is recommended that clients always perform at least one read between establishing and shutting down a connection.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. From OpenSSL 1.1.0 and above ciphersuites for TLSv1.2 and below based on DSA are no longer available by default (you must compile OpenSSL with the "enable-weak-ssl-ciphers" option, and explicitly configure the ciphersuites at run time). If your server application is using a DSA certificate and has made the necessary configuration changes to enable the ciphersuites then TLSv1.3 will never be negotiated when that certificate is used for a connection (the maximum version will be TLSv1.2).<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be sent depending on the hostname that was sent in the SNI extension. If the SNI extension is not sent the server's options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some sites want to encourage the use of SNI and configure a default certificate that fails WebPKI authentication when the client supports TLS 1.3. This is under the assumption that if a hostname is not sent, then it means that the client does not verify the server certificate (unauthenticated opportunistic TLS). For implementation that actually don't send the SNI extension, but do verify the server certificate this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== PSKs ==<br />
<br />
Pre-shared Keys work differently in TLSv1.2 and below compared to TLSv1.3.<br />
<br />
In TLSv1.2 (and below) special PSK specific ciphersuites are used. A client wishing to use a PSK will offer one (or more) of those ciphersuites to the server in the initial ClientHello message. If the server also wishes to use a PSK, then it will select that ciphersuite and will (optionally) send back an "identity hint" to the client. Finally the client sends back to the server identity details so that the server knows which PSK to use. In OpenSSL 1.1.0 and below this is implemented using a callback mechanism. The callback is called passing in the identity hint (or NULL if there is no hint) and the callback responds by filling in the identity details, as well as the PSK itself.<br />
<br />
In TLSv1.3, if a client wishes to use a PSK, then the identity details are sent immediately in the initial ClientHello message. Use of a PSK is independent of any ciphersuite selection. If the server wishes to use the PSK then it will signal this in its response to the client. Otherwise a full (non-PSK) handshake will occur. Note that there is no identity hint in TLSv1.3.<br />
<br />
OpenSSL 1.1.1 introduces new TLSv1.3 specific PSK callbacks. See [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_use_session_callback.html here] and [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_find_session_callback.html here] for further details. These are the preferred callbacks to use for TLSv1.3 PSKs. However, if an application has set up the TLSv1.2 PSK callbacks and TLSv1.3 is enabled then OpenSSL will attempt to fallback to using the old style callbacks. In this case, on the client side, the callback will be invoked before any communication with the server has taken place during construction of the initial ClientHello. This is because the identity details must be sent immediately in TLSv1.3. The identity hint value will always be NULL in this case.<br />
<br />
Note that the TLSv1.2 callbacks could end up being called twice for the same connection. For example if a client application provides no TLSv1.3 callback and TLSv1.3 is enabled, then it will be called first during the initial ClientHello construction. If the server subsequently selects TLSv1.2 then the callback will be called again later on in the handshake to set up the TLSv1.2 PSK.<br />
<br />
TLSv1.3 PSKs must specify a message digest (e.g. such as SHA-256). Where old style TLSv1.2 callbacks are used in a TLSv1.3 context then the message digest will default to SHA-256 (as specified in the standard). A server which has been configured with TLSv1.2 PSK callbacks, but negotiates TLSv1.3 with a client, will prefer ciphersuites based on SHA-256 in order to maximise the chances of a PSK being used.<br />
<br />
== Non-application data records ==<br />
<br />
TLSv1.3 sends more non-application data records after the handshake is finished. At least the session ticket is send after the finished message. [https://www.openssl.org/docs/manmaster/man3/SSL_read.html SSL_read()] has always documented that it can return SSL_ERROR_WANT_READ after processing non-application data, even when there is still data that can be read. When SSL_MODE_AUTO_RETRY is set using [https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_mode.html SSL_CTX_set_mode()] OpenSSL will try to process the next record, and so not return SSL_ERROR_WANT_READ while it still has data available. Because many applications did not handle this properly, SSL_MODE_AUTO_RETRY has been made the default. If the application is using non-blocking sockets and SSL_MODE_AUTO_RETRY is enabled, and select() is used to check if a socket is readable this results in SSL_read() processing the non-application data records, but then try to read an application data record which might not be available and hang.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2663TLS1.32018-04-27T22:42:47Z<p>Kurt: /* Server Name Indication */</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
As of the time of writing TLSv1.3 is still in draft. Periodically a new version of the draft standard is published by the TLS Working Group. Implementations of the draft are required to identify the specific draft version that they are using. This means that implementations based on different draft versions do not interoperate with each other.<br />
<br />
OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised. In the meantime the OpenSSL git master branch contains our development TLSv1.3 code which can be used for testing purposes (i.e. it is not for production use). You can check which draft TLSv1.3 version is implemented in any particular OpenSSL checkout by examining the value of the TLS1_3_VERSION_DRAFT_TXT macro in the tls1.h header file. This macro will be removed when the final version of the standard is released.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Currently OpenSSL has implemented the “draft-26” version of TLSv1.3. Other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS13-AES-256-GCM-SHA384<br />
* TLS13-CHACHA20-POLY1305-SHA256<br />
* TLS13-AES-128-GCM-SHA256<br />
* TLS13-AES-128-CCM-8-SHA256<br />
* TLS13-AES-128-CCM-SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305-SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. At the time of writing, OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the SSL_get1_session() function (or similar). See [https://www.openssl.org/docs/man1.1.1/man3/SSL_get1_session.html here] for further details.<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce singly use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session().<br />
<br />
Client application developers should consider using the SSL_CTX_sess_set_new_cb() API instead (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_new_cb.html here]). This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in OpenSSL 1.1.0. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. If your server application is using a DSA certificate then TLSv1.3 connections will fail with an error message similar to the following:<br />
<br />
<br />
140348850206144:error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:2308:<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be send depending on the hostname that was send in the SNI extension. If an SNI is not send the options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some people want to encourage the use of SNI and set up the default certificate to be for an invalid hostname if the client supports TLS 1.3. This is under the assumption that if a hostname is not send, that the client will check that the hostname of the certificate matches the hostname it's trying to connect to. For implementation that actually don't send the SNI, but do check the hostname this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function. For hostname validation see [[Hostname_validation|Hostname validation]].<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2662TLS1.32018-04-27T21:27:53Z<p>Kurt: Add SNI section.</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections and the new ones cannot be used in TLSv1.2 and below.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
As of the time of writing TLSv1.3 is still in draft. Periodically a new version of the draft standard is published by the TLS Working Group. Implementations of the draft are required to identify the specific draft version that they are using. This means that implementations based on different draft versions do not interoperate with each other.<br />
<br />
OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised. In the meantime the OpenSSL git master branch contains our development TLSv1.3 code which can be used for testing purposes (i.e. it is not for production use). You can check which draft TLSv1.3 version is implemented in any particular OpenSSL checkout by examining the value of the TLS1_3_VERSION_DRAFT_TXT macro in the tls1.h header file. This macro will be removed when the final version of the standard is released.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Currently OpenSSL has implemented the “draft-26” version of TLSv1.3. Other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS13-AES-256-GCM-SHA384<br />
* TLS13-CHACHA20-POLY1305-SHA256<br />
* TLS13-AES-128-GCM-SHA256<br />
* TLS13-AES-128-CCM-8-SHA256<br />
* TLS13-AES-128-CCM-SHA256<br />
<br />
Due to the major differences between the way that ciphersuites for TLSv1.2 and below and ciphersuites for TLSv1.3 work, they are configured in OpenSSL differently too.<br />
<br />
By default the first three of the above ciphersuites are enabled by default. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration.<br />
<br />
For the OpenSSL command line applications there is a new "-ciphersuites" option to configure the TLSv1.3 ciphersuite list. This is just a simple colon (":") separated list of TLSv1.3 ciphersuite names in preference order. Note that you cannot use the special characters such as "+", "!", "-" etc, that you can for defining TLSv1.2 ciphersuites. In practice this is not likely to be a problem because there are only a very small number of TLSv1.3 ciphersuites.<br />
<br />
For example:<br />
<br />
$ openssl s_server -cert mycert.pem -key mykey.pem -cipher ECDHE -ciphersuites "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256"<br />
<br />
This will configure OpenSSL to use any ECDHE based ciphersuites for TLSv1.2 and below. For TLSv1.3 the TLS13-AES-256-GCM-SHA384 and TLS13-CHACHA20-POLY1305-SHA256 ciphersuites will be available.<br />
<br />
Note that all of the above applies to the "ciphers" command line application as well. This can sometimes lead to surprising results. For example this command:<br />
<br />
$ openssl ciphers -s -v ECDHE<br />
<br />
Will list all the ciphersuites for TLSv1.2 and below that support ECDHE '''and''' additionally all of the default TLSv1.3 ciphersuites. Use the "-ciphersuites" option to further configure the TLSv1.3 ciphersuites.<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. At the time of writing, OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups.html here] for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS here]).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the SSL_get1_session() function (or similar). See [https://www.openssl.org/docs/man1.1.1/man3/SSL_get1_session.html here] for further details.<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this may not be enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used. OpenSSL servers that accept "early_data" will automatically enforce singly use sessions. Any attempt to resume with a session that has already been used will fallback to a full handshake.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session().<br />
<br />
Client application developers should consider using the SSL_CTX_sess_set_new_cb() API instead (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_new_cb.html here]). This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in OpenSSL 1.1.0. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_add_custom_ext.html here] for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_serverinfo.html here] for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_key_update.html here] for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_verify_client_post_handshake.html here] for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. If your server application is using a DSA certificate then TLSv1.3 connections will fail with an error message similar to the following:<br />
<br />
<br />
140348850206144:error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:2308:<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see [https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html here] for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Server Name Indication ==<br />
<br />
Server Name Indication (SNI) can be used by the client to select one of several sites on the same host, and so a different X.509 certificate can be send depending on the hostname that was send in the SNI extension. If an SNI is not send the options are to either disconnect or select a default hostname and matching certificate. The default would typically be the main site.<br />
<br />
SNI has been made mandatory to implement in TLS 1.3 but not mandatory to use. Some people want to encourage the use of SNI and set up the default certificate to be for an invalid hostname if the client supports TLS 1.3. This is under the assumption that if a hostname is not send, that the client will check that the hostname of the certificate matches the hostname it's trying to connect to. For implementation that actually don't send the SNI, but do check the hostname this can cause connection failures.<br />
<br />
To enable SNI you need to use the [https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html SSL_set_tlsext_host_name()] function.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=Main_Page&diff=2652Main Page2018-04-20T08:10:17Z<p>Kurt: </p>
<hr />
<div>This is the OpenSSL wiki. The main site is https://www.openssl.org . If this is your first visit or to get an account please see the [[Welcome]] page. Your participation and [[Contributions]] are valued.<br />
<br />
This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.<br />
<br />
== OpenSSL Quick Links ==<br />
<br />
<TABLE border=0><br />
<TR><br />
<TD>[[OpenSSL Overview]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Compilation and Installation]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Internals]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Mailing Lists]] </TD><br />
</TR><br />
<TR><br />
<TD>[[libcrypto API]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[libssl API]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Examples]] </TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Documentation Index|Index of all API functions]]</TD><br />
</TR><br />
<TR><br />
<TD>[[License]] </TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Command Line Utilities]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Related Links]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[Binaries]]</TD><br />
</TR><br />
<TR><br />
<TD>[[SSL and TLS Protocols]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[1.1 API Changes]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[FIPS modules]]</TD><br />
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD><br />
<TD>[[TLS1.3]]</TD><br />
</TR><br />
</TABLE><br />
<br />
== Administrivia ==<br />
Site guidelines, legal and admininstrative issues.<br />
:* [[Basic rules]], [[Commercial Product Disclaimer]], [[Contributions]], [[Copyright]], [[License]]<br />
:* Using This Wiki<br />
:: [http://meta.wikimedia.org/wiki/Help:Contents Wiki User's Guide], [http://www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list], [http://www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ], [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki Mailing List]<br />
<br />
== Reference ==<br />
This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.<br />
:* [https://www.openssl.org/docs/manpages.html OpenSSL Manual Pages]<br />
:* [[API]], [[Libcrypto API]], [[Libssl API]]<br />
:* [[FIPS mode()]], [[FIPS_mode_set()]]<br />
<br />
== Usage and Programming ==<br />
This section has discussions of practical issues in using OpenSSL<br />
:* Building from Source<br />
:: Where to find it, the different versions, how to build and install it.<br />
:* [[OpenSSL Overview]]<br />
:* [[Versioning]]<br />
:* [[Compilation and Installation]]<br />
:* [[EVP]]<br />
:: Programming techniques and example code<br />
:: Use of EVP is preferred for most applications and circumstances<br />
::* [[EVP Asymmetric Encryption and Decryption of an Envelope]]<br />
::* [[EVP Authenticated Encryption and Decryption]]<br />
::* [[EVP Symmetric Encryption and Decryption]]<br />
::* [[EVP Key and Parameter Generation]]<br />
::* [[EVP Key Agreement]]<br />
::* [[EVP Message Digests]]<br />
::* [[EVP Key Derivation]]<br />
::* [[EVP Signing and Verifying|EVP Signing and Verifying (including MAC codes)]]<br />
:* [[STACK API]]<br />
:* [[List of SSL OP Flags]]<br />
:* Low Level APIs<br />
::[[Creating an OpenSSL Engine to use indigenous ECDH ECDSA and HASH Algorithms]]<br />
:: More specialized non-EVP usage<br />
::* [[Diffie-Hellman parameters]]<br />
:* [[FIPS Mode]]<br />
:* [[Simple TLS Server]]<br />
<br />
== Concepts and Theory ==<br />
Discussions of basic cryptographic theory and concepts<br />
Discussions of common operational issues<br />
:* [[Base64]]<br />
:* [http://wiki.openssl.org/index.php/Category:FIPS_140 FIPS 140-2]<br />
:* [[Random Numbers]]<br />
:* [[Diffie Hellman]]<br />
:* [[Elliptic Curve Diffie Hellman]]<br />
:* [[Elliptic Curve Cryptography]]<br />
<br />
== Security Advisories ==<br />
:* [https://www.openssl.org/policies/secpolicy.html OpenSSL Security Policy]<br />
:* [https://www.openssl.org/news/vulnerabilities.html OpenSSL Vulnerabilities List]<br />
:* [[Security_Advisories|Security Advisories Additional Information]]<br />
<br />
== Feedback and Contributions ==<br />
:* [https://www.openssl.org/news/vulnerabilities.html How to notify us of suspected security vulnerabilities]<br />
:* [https://www.openssl.org/community/#bugs How to report bugs, other than for suspected vulnerabilities]<br />
:* [[Contributions|General background on source and documentation contributions - '''must read''']]<br />
:* Contributing code fixes, other than for suspected vulnerabilities, as well as fixes and other improvements to manual pages:<br />
::* If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the [https://www.openssl.org/community/ openssl-users mailing list] first. Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented.<br />
::* Follow the [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|instructions for accessing source code]] in the appropriate branches. Note that manual pages and the FAQ are maintained with the source code.<br />
::* Submit a pull request for each separate fix (also documented [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|there]])<br />
::* Submit a bug report (see second bullet, above) and reference the pull request. Or you can attach the patch to the ticket.<br />
:* Contributing fixes and other improvements to the web site<br />
::* Follow the [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|instructions for accessing web site sources]]<br />
::* Create a patch (also documented [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|there]])<br />
::* Submit a bug report and add the patch as an attachment<br />
:* [[Developing For OpenSSL]]<br />
:* [[KnownPatches|Known patches not part of OpenSSL]]<br />
:* [[Welcome|Contributing to this wiki]]<br />
<br />
== Internals and Development ==<br />
This section is for internal details of primary interest to OpenSSL maintainers and power users<br />
:* [[Code reformatting]]<br />
<br />
:* [[Internals]]<br />
:* [[Code Quality]]<br />
:* [[Static and Dynamic Analysis]]<br />
:* [[OCB|OCB Licence details]]<br />
:* [[Defect and Feature Review Process]]<br />
:* [[Unit Testing]] (includes other automated testing information)<br />
:* [[How to Integrate a Symmetric Cipher]]</div>Kurthttps://wiki.openssl.org/index.php?title=TLS1.3&diff=2651TLS1.32018-04-20T08:09:12Z<p>Kurt: Import from blog</p>
<hr />
<div>The OpenSSL 1.1.1 release includes support for TLSv1.3. The release is binary and API compatible with OpenSSL 1.1.0. In theory, if your application supports OpenSSL 1.1.0, then all you need to do to upgrade is to drop in the new version of OpenSSL and you will automatically start being able to use TLSv1.3. However there are some issues that application developers and deployers need to be aware of.<br />
<br />
== Differences with TLS1.2 and below ==<br />
<br />
TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:<br />
<br />
* There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections.<br />
* The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.<br />
* Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.<br />
* Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.<br />
* Renegotiation is not possible in a TLSv1.3 connection<br />
* More of the handshake is now encrypted.<br />
* More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)<br />
* DSA certificates are no longer allowed in TLSv1.3 connections<br />
<br />
Note that at this stage only TLSv1.3 is supported. DTLSv1.3 is still in the early days of specification and there is no OpenSSL support for it at this time.<br />
<br />
== Current status of the TLSv1.3 standard ==<br />
<br />
As of the time of writing TLSv1.3 is still in draft. Periodically a new version of the draft standard is published by the TLS Working Group. Implementations of the draft are required to identify the specific draft version that they are using. This means that implementations based on different draft versions do not interoperate with each other.<br />
<br />
OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised. In the meantime the OpenSSL git master branch contains our development TLSv1.3 code which can be used for testing purposes (i.e. it is not for production use). You can check which draft TLSv1.3 version is implemented in any particular OpenSSL checkout by examining the value of the TLS1_3_VERSION_DRAFT_TXT macro in the tls1.h header file. This macro will be removed when the final version of the standard is released.<br />
<br />
TLSv1.3 is enabled by default in the latest development versions (there is no need to explicitly enable it). To disable it at compile time you must use the “no-tls1_3” option to “config” or “Configure”.<br />
<br />
Currently OpenSSL has implemented the “draft-26” version of TLSv1.3. Other applications that support TLSv1.3 may still be using older draft versions. This is a common source of interoperability problems. If two peers supporting different TLSv1.3 draft versions attempt to communicate then they will fall back to TLSv1.2.<br />
<br />
== Ciphersuites ==<br />
<br />
OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows:<br />
<br />
* TLS13-AES-256-GCM-SHA384<br />
* TLS13-CHACHA20-POLY1305-SHA256<br />
* TLS13-AES-128-GCM-SHA256<br />
* TLS13-AES-128-CCM-8-SHA256<br />
* TLS13-AES-128-CCM-SHA256<br />
<br />
Of these the first three are in the DEFAULT ciphersuite group. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3.<br />
<br />
All the TLSv1.3 ciphersuites also appear in the HIGH ciphersuite alias. The CHACHA20, AES, AES128, AES256, AESGCM, AESCCM and AESCCM8 ciphersuite aliases include a subset of these ciphersuites as you would expect based on their names. Key exchange and authentication properties were part of the ciphersuite definition in TLSv1.2 and below. This is no longer the case in TLSv1.3 so ciphersuite aliases such as ECDHE, ECDSA, RSA and other similar aliases do not contain any TLSv1.3 ciphersuites.<br />
<br />
If you explicitly configure your ciphersuites then care should be taken to ensure that you are not inadvertently excluding all TLSv1.3 compatible ciphersuites. If a client has TLSv1.3 enabled but no TLSv1.3 ciphersuites configured then it will immediately fail (even if the server does not support TLSv1.3) with an error message like this:<br />
<br />
<br />
140399519134144:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:3715:No ciphers enabled for max supported SSL/TLS version<br />
<br />
<br />
Similarly if a server has TLSv1.3 enabled but no TLSv1.3 ciphersuites it will also immediately fail, even if the client does not support TLSv1.3, with an error message like this:<br />
<br />
<br />
140640328024512:error:141FC0B5:SSL routines:tls_setup_handshake:no ciphers available:ssl/statem/statem_lib.c:120:No ciphers enabled for max supported SSL/TLS version<br />
<br />
<br />
For example, setting a ciphersuite selection string of ECDHE:!COMPLEMENTOFDEFAULT will work in OpenSSL 1.1.0 and will only select those ciphersuites that are in DEFAULT and also use ECDHE for key exchange. However no TLSv1.3 ciphersuites are in the ECDHE group so this ciphersuite configuration will fail in OpenSSL 1.1.1 if TLSv1.3 is enabled.<br />
<br />
You may want to explicitly list the TLSv1.3 ciphersuites you want to use to avoid problems. For example:<br />
<br />
<br />
"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT"<br />
<br />
<br />
You can test which ciphersuites are included in a given ciphersuite selection string using the openssl ciphers -s -v command:<br />
<br />
$ openssl ciphers -s -v "ECDHE:!COMPLEMENTOFDEFAULT"<br />
<br />
Ensure that at least one ciphersuite supports TLSv1.3<br />
<br />
== Groups ==<br />
<br />
In TLSv1.3 the client selects a “group” that it will use for key exchange. At the time of writing, OpenSSL only supports ECDHE groups for this. The client then sends “key_share” information to the server for its selected group in the ClientHello.<br />
<br />
The list of supported groups is configurable. It is possible for a client to select a group that the server does not support. In this case the server requests that the client sends a new key_share that it does support. While this means a connection will still be established (assuming a mutually supported group exists), it does introduce an extra server round trip - so this has implications for performance. In the ideal scenario the client will select a group that the server supports in the first instance.<br />
<br />
In practice most clients will use X25519 or P-256 for their initial key_share. For maximum performance it is recommended that servers are configured to support at least those two groups and clients use one of those two for its initial key_share. This is the default case (OpenSSL clients will use X25519).<br />
<br />
The group configuration also controls the allowed groups in TLSv1.2 and below. If applications have previously configured their groups in OpenSSL 1.1.0 then you should review that configuration to ensure that it still makes sense for TLSv1.3. The first named (i.e. most preferred group) will be the one used by an OpenSSL client in its intial key_share.<br />
<br />
Applications can configure the group list by using SSL_CTX_set1_groups() or a similar function (see here for further details). Alternatively, if applications use SSL_CONF style configuration files then this can be configured using the Groups or Curves command (see here).<br />
<br />
== Sessions ==<br />
<br />
In TLSv1.2 and below a session is established as part of the handshake. This session can then be used in a subsequent connection to achieve an abbreviated handshake. Applications might typically obtain a handle on the session after a handshake has completed using the SSL_get1_session() function (or similar). See here for further details.<br />
<br />
In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).<br />
<br />
The specification recommends that applications only use a session once (although this is not enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used.<br />
<br />
The old SSL_get1_session() and similar APIs may not operate as expected for client applications written for TLSv1.2 and below. Specifically if a client application calls SSL_get1_session() before the server message containing session details has been received then an SSL_SESSION object will still be returned, but any attempt to resume with it will not succeed and a full handshake will occur instead. In the case where multiple sessions have been sent by the server then only the last session will be returned by SSL_get1_session().<br />
<br />
Client application developers should consider using the SSL_CTX_sess_set_new_cb() API instead (see here). This provides a callback mechanism which gets invoked every time a new session is established. This can get invoked multiple times for a single connection if a server sends multiple session messages.<br />
<br />
Note that SSL_CTX_sess_set_new_cb() was also available in OpenSSL 1.1.0. Applications that already used that API will still work, but they may find that the callback is invoked at unexpected times, i.e. post-handshake.<br />
<br />
An OpenSSL server will immediately attempt to send session details to a client after the main handshake has completed. To server applications this post-handshake stage will appear to be part of the main handshake, so calls to SSL_get1_session() should continue to work as before.<br />
<br />
== Custom Extensions and Certificate Transparency ==<br />
<br />
In TLSv1.2 and below the initial ClientHello and ServerHello messages can contain “extensions”. This allows the base specifications to be extended with additional features and capabilities that may not be applicable in all scenarios or could not be foreseen at the time that the base specifications were written. OpenSSL provides support for a number of “built-in” extensions.<br />
<br />
Additionally the custom extensions API provides some basic capabilities for application developers to add support for new extensions that are not built-in to OpenSSL.<br />
<br />
Built on top of the custom extensions API is the “serverinfo” API. This provides an even more basic interface that can be configured at run time. One use case for this is Certificate Transparency. OpenSSL provides built-in support for the client side of Certificate Transparency but there is no built-in server side support. However this can easily be achieved using “serverinfo” files. A serverinfo file containing the Certificate Transparency information can be configured within OpenSSL and it will then be sent back to the client as appropriate.<br />
<br />
In TLSv1.3 the use of extensions is expanded significantly and there are many more messages that can include them. Additionally some extensions that were applicable to TLSv1.2 and below are no longer applicable in TLSv1.3 and some extensions are moved from the ServerHello message to the EncryptedExtensions message. The old custom extensions API does not have the ability to specify which messages the extensions should be associated with. For that reason a new custom extensions API was required.<br />
<br />
The old API will still work, but the custom extensions will only be added where TLSv1.2 or below is negotiated. To add custom extensions that work for all TLS versions application developers will need to update their applications to the new API (see here for details).<br />
<br />
The “serverinfo” data format has also been updated to include additional information about which messages the extensions are relevant to. Applications using “serverinfo” files may need to update to the “version 2” file format to be able to operate in TLSv1.3 (see here and here for details).<br />
<br />
== Renegotiation ==<br />
<br />
TLSv1.3 does not have renegotiation so calls to SSL_renegotiate() or SSL_renegotiate_abbreviated() will immediately fail if invoked on a connection that has negotiated TLSv1.3.<br />
<br />
A common use case for renegotiation is to update the connection keys. The function SSL_key_update() can be used for this purpose in TLSv1.3 (see here for further details).<br />
<br />
Another use case is to request a certificate from the client. This can be achieved by using the SSL_verify_client_post_handshake() function in TLSv1.3 (see here for further details).<br />
<br />
== DSA certificates ==<br />
<br />
DSA certificates are no longer allowed in TLSv1.3. If your server application is using a DSA certificate then TLSv1.3 connections will fail with an error message similar to the following:<br />
<br />
<br />
140348850206144:error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:2308:<br />
<br />
Please use an ECDSA or RSA certificate instead.<br />
<br />
== Middlebox Compatibility Mode ==<br />
<br />
During development of the TLSv1.3 standard it became apparent that in some cases, even if a client and server both support TLSv1.3, connections could sometimes still fail. This is because middleboxes on the network between the two peers do not understand the new protocol and prevent the connection from taking place. In order to work around this problem the TLSv1.3 specification introduced a “middlebox compatibility” mode. This made a few optional changes to the protocol to make it appear more like TLSv1.2 so that middleboxes would let it through. Largely these changes are superficial in nature but do include sending some small but unneccessary messages. OpenSSL has middlebox compatibility mode on by default, so most users should not need to worry about this. However applications may choose to switch it off by calling the function SSL_CTX_clear_options() and passing SSL_OP_ENABLE_MIDDLEBOX_COMPAT as an argument (see here for further details).<br />
<br />
If the remote peer is not using middlebox compatibility mode and there are problematic middleboxes on the network path then this could cause spurious connection failures.<br />
<br />
== Conclusion ==<br />
<br />
TLSv1.3 represents a significant step forward and has some exciting new features but there are some hazards for the unwary when upgrading. Mostly these issues have relatively straight forward solutions. Application developers should review their code and consider whether anything should be updated in order to work more effectively with TLSv1.3. Similarly application deployers should review their configuration.</div>Kurthttps://wiki.openssl.org/index.php?title=OpenSSL_1.1.0_Changes&diff=2492OpenSSL 1.1.0 Changes2016-11-04T15:48:25Z<p>Kurt: /* Adding forward-compatible code to older versions */</p>
<hr />
<div>This is a parent page for discussion about API changes being done for OpenSSL version 1.1<br />
<br />
The overall goal of this project is to make most data structures opaque to applications. This provides us with a number of benefits:<br />
* We can add fields without breaking [[Binary_Compatibility|binary compatibility]]<br />
* Applications are more robust and can be more assured about correctness<br />
* It helps us determine which (new) accessors and settors, for example, are needed<br />
<br />
Please add sub-pages to discuss particular parts of the library as work progresses.<br />
<br />
== Major Changes so far ==<br />
<br />
* All structures in libssl public header files have been removed so that they are "opaque" to library users. You should use the provided accessor functions instead<br />
* The old DES API has been removed<br />
* bn, a sub library in libcrypto, has been made opaque<br />
* Access to deprecated functions/macros has been removed by default. To enable access you must do two things. 1) Build OpenSSL with deprecation support (pass "enable-deprecated" as an argument to config) 2) Applications must define "OPENSSL_USE_DEPRECATED" before including OpenSSL header files<br />
* HMAC_Init and HMAC_cleanup were previously stated in the docs and header files as being deprecated - but were not flagged in previous versions with OPENSSL_NO_DEPRECATED. This has been corrected in 1.1.0. Access to these functions/macros will be off by default in 1.1.0 as per the note above about deprecation.<br />
<br />
== OPENSSL_API_COMPAT ==<br />
<br />
Various functions get deprecated as other interfaces get added, but are still available in a default build.<br />
The include files support setting the OPENSSL_API_COMPAT define that will hide functions that are deprecated in the selected version.<br />
To select the 1.1.0 version use -DOPENSSL_API_COMPAT=0x10100000L.<br />
<br />
== Backward compatibility ==<br />
<br />
Since some structures have become opaque you can't directly access the member any more. You might need to create backward compatible macros or functions if you still want to support older versions of OpenSSL. A suggested way of doing that is:<br />
<br />
<code><br />
#if OPENSSL_VERSION_NUMBER < 0x10100000L<br />
#define OBJ_get0_data(o) ((o)->data)<br />
#define OBJ_length(o) ((o)->length)<br />
#endif<br />
</code><br />
<br />
== Adding forward-compatible code to older versions ==<br />
<br />
Application code now has to use pointers, and cannot allocate objects directly on the stack. For instance if the old code did:<br />
<br />
<code><br />
BN_CTX ctx;<br />
</code><br />
<br />
You now have to do:<br />
<code><br />
BN_CTX *ctx;<br />
<br />
ctx = BN_CTX_new();<br />
[...]<br />
BN_CTX_free(ctx);<br />
</code><br />
<br />
If you want to access rsa->n you now have to do something like:<br />
<code><br />
const BIGNUM *n;<br />
<br />
RSA_get0_key(rsa, &n, NULL, NULL);<br />
</code><br />
<br />
There are new functions available for to get and set such variables that are not available in older versions. The suggested way to solve this is add your own copy of the new functions based on the one in OpenSSL 1.1.0. Here is an overview of most of them and how they could look like:<br />
<code><br />
#if OPENSSL_VERSION_NUMBER < 0x10100000L<br />
<br />
#include <string.h><br />
#include <openssl/engine.h><br />
<br />
static void *OPENSSL_zalloc(size_t num)<br />
{<br />
void *ret = OPENSSL_malloc(num);<br />
<br />
if (ret != NULL)<br />
memset(ret, 0, num);<br />
return ret;<br />
}<br />
<br />
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)<br />
{<br />
/* If the fields n and e in r are NULL, the corresponding input<br />
* parameters MUST be non-NULL for n and e. d may be<br />
* left NULL (in case only the public key is used).<br />
*/<br />
if ((r->n == NULL && n == NULL)<br />
|| (r->e == NULL && e == NULL))<br />
return 0;<br />
<br />
if (n != NULL) {<br />
BN_free(r->n);<br />
r->n = n;<br />
}<br />
if (e != NULL) {<br />
BN_free(r->e);<br />
r->e = e;<br />
}<br />
if (d != NULL) {<br />
BN_free(r->d);<br />
r->d = d;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)<br />
{<br />
/* If the fields p and q in r are NULL, the corresponding input<br />
* parameters MUST be non-NULL.<br />
*/<br />
if ((r->p == NULL && p == NULL)<br />
|| (r->q == NULL && q == NULL))<br />
return 0;<br />
<br />
if (p != NULL) {<br />
BN_free(r->p);<br />
r->p = p;<br />
}<br />
if (q != NULL) {<br />
BN_free(r->q);<br />
r->q = q;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)<br />
{<br />
/* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input<br />
* parameters MUST be non-NULL.<br />
*/<br />
if ((r->dmp1 == NULL && dmp1 == NULL)<br />
|| (r->dmq1 == NULL && dmq1 == NULL)<br />
|| (r->iqmp == NULL && iqmp == NULL))<br />
return 0;<br />
<br />
if (dmp1 != NULL) {<br />
BN_free(r->dmp1);<br />
r->dmp1 = dmp1;<br />
}<br />
if (dmq1 != NULL) {<br />
BN_free(r->dmq1);<br />
r->dmq1 = dmq1;<br />
}<br />
if (iqmp != NULL) {<br />
BN_free(r->iqmp);<br />
r->iqmp = iqmp;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
void RSA_get0_key(const RSA *r,<br />
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)<br />
{<br />
if (n != NULL)<br />
*n = r->n;<br />
if (e != NULL)<br />
*e = r->e;<br />
if (d != NULL)<br />
*d = r->d;<br />
}<br />
<br />
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)<br />
{<br />
if (p != NULL)<br />
*p = r->p;<br />
if (q != NULL)<br />
*q = r->q;<br />
}<br />
<br />
void RSA_get0_crt_params(const RSA *r,<br />
const BIGNUM **dmp1, const BIGNUM **dmq1,<br />
const BIGNUM **iqmp)<br />
{<br />
if (dmp1 != NULL)<br />
*dmp1 = r->dmp1;<br />
if (dmq1 != NULL)<br />
*dmq1 = r->dmq1;<br />
if (iqmp != NULL)<br />
*iqmp = r->iqmp;<br />
}<br />
<br />
void DSA_get0_pqg(const DSA *d,<br />
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)<br />
{<br />
if (p != NULL)<br />
*p = d->p;<br />
if (q != NULL)<br />
*q = d->q;<br />
if (g != NULL)<br />
*g = d->g;<br />
}<br />
<br />
int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)<br />
{<br />
/* If the fields p, q and g in d are NULL, the corresponding input<br />
* parameters MUST be non-NULL.<br />
*/<br />
if ((d->p == NULL && p == NULL)<br />
|| (d->q == NULL && q == NULL)<br />
|| (d->g == NULL && g == NULL))<br />
return 0;<br />
<br />
if (p != NULL) {<br />
BN_free(d->p);<br />
d->p = p;<br />
}<br />
if (q != NULL) {<br />
BN_free(d->q);<br />
d->q = q;<br />
}<br />
if (g != NULL) {<br />
BN_free(d->g);<br />
d->g = g;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
void DSA_get0_key(const DSA *d,<br />
const BIGNUM **pub_key, const BIGNUM **priv_key)<br />
{<br />
if (pub_key != NULL)<br />
*pub_key = d->pub_key;<br />
if (priv_key != NULL)<br />
*priv_key = d->priv_key;<br />
}<br />
<br />
int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)<br />
{<br />
/* If the field pub_key in d is NULL, the corresponding input<br />
* parameters MUST be non-NULL. The priv_key field may<br />
* be left NULL.<br />
*/<br />
if (d->pub_key == NULL && pub_key == NULL)<br />
return 0;<br />
<br />
if (pub_key != NULL) {<br />
BN_free(d->pub_key);<br />
d->pub_key = pub_key;<br />
}<br />
if (priv_key != NULL) {<br />
BN_free(d->priv_key);<br />
d->priv_key = priv_key;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)<br />
{<br />
if (pr != NULL)<br />
*pr = sig->r;<br />
if (ps != NULL)<br />
*ps = sig->s;<br />
}<br />
<br />
int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)<br />
{<br />
if (r == NULL || s == NULL)<br />
return 0;<br />
BN_clear_free(sig->r);<br />
BN_clear_free(sig->s);<br />
sig->r = r;<br />
sig->s = s;<br />
return 1;<br />
}<br />
<br />
void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)<br />
{<br />
if (pr != NULL)<br />
*pr = sig->r;<br />
if (ps != NULL)<br />
*ps = sig->s;<br />
}<br />
<br />
int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)<br />
{<br />
if (r == NULL || s == NULL)<br />
return 0;<br />
BN_clear_free(sig->r);<br />
BN_clear_free(sig->s);<br />
sig->r = r;<br />
sig->s = s;<br />
return 1;<br />
}<br />
<br />
void DH_get0_pqg(const DH *dh,<br />
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)<br />
{<br />
if (p != NULL)<br />
*p = dh->p;<br />
if (q != NULL)<br />
*q = dh->q;<br />
if (g != NULL)<br />
*g = dh->g;<br />
}<br />
<br />
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)<br />
{<br />
/* If the fields p and g in d are NULL, the corresponding input<br />
* parameters MUST be non-NULL. q may remain NULL.<br />
*/<br />
if ((dh->p == NULL && p == NULL)<br />
|| (dh->g == NULL && g == NULL))<br />
return 0;<br />
<br />
if (p != NULL) {<br />
BN_free(dh->p);<br />
dh->p = p;<br />
}<br />
if (q != NULL) {<br />
BN_free(dh->q);<br />
dh->q = q;<br />
}<br />
if (g != NULL) {<br />
BN_free(dh->g);<br />
dh->g = g;<br />
}<br />
<br />
if (q != NULL) {<br />
dh->length = BN_num_bits(q);<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)<br />
{<br />
if (pub_key != NULL)<br />
*pub_key = dh->pub_key;<br />
if (priv_key != NULL)<br />
*priv_key = dh->priv_key;<br />
}<br />
<br />
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)<br />
{<br />
/* If the field pub_key in dh is NULL, the corresponding input<br />
* parameters MUST be non-NULL. The priv_key field may<br />
* be left NULL.<br />
*/<br />
if (dh->pub_key == NULL && pub_key == NULL)<br />
return 0;<br />
<br />
if (pub_key != NULL) {<br />
BN_free(dh->pub_key);<br />
dh->pub_key = pub_key;<br />
}<br />
if (priv_key != NULL) {<br />
BN_free(dh->priv_key);<br />
dh->priv_key = priv_key;<br />
}<br />
<br />
return 1;<br />
}<br />
<br />
int DH_set_length(DH *dh, long length)<br />
{<br />
dh->length = length;<br />
return 1;<br />
}<br />
<br />
const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx)<br />
{<br />
return ctx->iv;<br />
}<br />
<br />
unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx)<br />
{<br />
return ctx->iv;<br />
}<br />
<br />
EVP_MD_CTX *EVP_MD_CTX_new(void)<br />
{<br />
return OPENSSL_zalloc(sizeof(EVP_MD_CTX));<br />
}<br />
<br />
void EVP_MD_CTX_free(EVP_MD_CTX *ctx)<br />
{<br />
EVP_MD_CTX_cleanup(ctx);<br />
OPENSSL_free(ctx);<br />
}<br />
<br />
RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)<br />
{<br />
RSA_METHOD *ret;<br />
<br />
ret = OPENSSL_malloc(sizeof(RSA_METHOD));<br />
<br />
if (ret != NULL) {<br />
memcpy(ret, meth, sizeof(*meth));<br />
ret->name = OPENSSL_strdup(meth->name);<br />
if (ret->name == NULL) {<br />
OPENSSL_free(ret);<br />
return NULL;<br />
}<br />
}<br />
<br />
return ret;<br />
}<br />
<br />
int RSA_meth_set1_name(RSA_METHOD *meth, const char *name)<br />
{<br />
char *tmpname;<br />
<br />
tmpname = OPENSSL_strdup(name);<br />
if (tmpname == NULL) {<br />
return 0;<br />
}<br />
<br />
OPENSSL_free((char *)meth->name);<br />
meth->name = tmpname;<br />
<br />
return 1;<br />
}<br />
<br />
int RSA_meth_set_priv_enc(RSA_METHOD *meth,<br />
int (*priv_enc) (int flen, const unsigned char *from,<br />
unsigned char *to, RSA *rsa,<br />
int padding))<br />
{<br />
meth->rsa_priv_enc = priv_enc;<br />
return 1;<br />
}<br />
<br />
int RSA_meth_set_priv_dec(RSA_METHOD *meth,<br />
int (*priv_dec) (int flen, const unsigned char *from,<br />
unsigned char *to, RSA *rsa,<br />
int padding))<br />
{<br />
meth->rsa_priv_dec = priv_dec;<br />
return 1;<br />
}<br />
<br />
int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))<br />
{<br />
meth->finish = finish;<br />
return 1;<br />
}<br />
<br />
void RSA_meth_free(RSA_METHOD *meth)<br />
{<br />
if (meth != NULL) {<br />
OPENSSL_free((char *)meth->name);<br />
OPENSSL_free(meth);<br />
}<br />
}<br />
<br />
int RSA_bits(const RSA *r)<br />
{<br />
return (BN_num_bits(r->n));<br />
}<br />
<br />
RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)<br />
{<br />
if (pkey->type != EVP_PKEY_RSA) {<br />
return NULL;<br />
}<br />
return pkey->pkey.rsa;<br />
}<br />
<br />
<br />
HMAC_CTX *HMAC_CTX_new(void)<br />
{<br />
HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));<br />
if (ctx != NULL) {<br />
if (!HMAC_CTX_reset(ctx)) {<br />
HMAC_CTX_free(ctx);<br />
return NULL;<br />
}<br />
}<br />
return ctx;<br />
}<br />
<br />
void HMAC_CTX_free(HMAC_CTX *ctx)<br />
{<br />
if (ctx != NULL) {<br />
hmac_ctx_cleanup(ctx);<br />
EVP_MD_CTX_free(ctx->i_ctx);<br />
EVP_MD_CTX_free(ctx->o_ctx);<br />
EVP_MD_CTX_free(ctx->md_ctx);<br />
OPENSSL_free(ctx);<br />
}<br />
}<br />
#endif<br />
</code><br />
<br />
== Things that Broke in Qt ==<br />
<br />
Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.<br />
<br />
* DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1). Another option suggested by Steve Henson is to save the DHparams we're using at the moment then use d2i_DHparams to load them in. This is compatible with openssl versions that don't have the dh_auto option.<br />
<br />
* ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) [Fixed in dev]<br />
<br />
* session->tlsext_tick_lifetime_hint - we were directly accessing the lifetime hint of the session. [A new API to access this field has been added]<br />
<br />
* cipher->valid - we were directly accessing the valid field of SSL_CIPHER. No replacement found. [This turned out not to be needed and so will be removed].<br />
<br />
== Things that Broke in Curl ==<br />
<br />
* SSL_SESSION->ssl_version. Replaced with SSL_version(SSL *)<br />
<br />
== Things that Broke in wget ==<br />
<br />
* SSL->state. Replaced with SSL_state(SSL *)<br />
<br />
== Things that Broke in Apache Traffic Manager ==<br />
<br />
* Setting SSL->rbio without setting SSL->wbio. New function introduction in 1.1.0 to handle this: SSL_set_rbio()<br />
<br />
== Things that Broke in OpenConnect ==<br />
<br />
In order to simulate "resume" of a DTLS session which never really existed but which was actually negotiated over the VPN control connection, [http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147 this code] in the [http://www.infradead.org/openconnect/ OpenConnect VPN client] needs to set the following fields in a new <tt>SSL_SESSION</tt>:<br />
* <tt>->ssl_version</tt><br />
* <tt>->cipher{,_id}</tt><br />
* <tt>->master_key{,_length}</tt><br />
* <tt>->session_id{,_length}</tt><br />
<br />
This was fixed with [http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/5abb133f this OpenConnect commit] which makes it create the ASN.1 representation of the session and import it with <tt>d2i_SSL_SESSION()</tt>. This is done conditionally in the above patch because it depends on the [http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=af674d4e20a82c2a98767b837072d7093c70b1cf fix in openssl HEAD] for <tt>d2i_SSL_SESSION()</tt> to make it cope with <tt>DTLS1_BAD_VER</tt> <i>([http://rt.openssl.org/Ticket/Display.html?id=3704 RT#3704])</i>.<br />
<br />
Other simpler things which broke:<br />
* <tt>SSL_CIPHER->id</tt>. Replaced with <tt>SSL_CIPHER_get_id()</tt><br />
* <tt>SSL_CTX->extra_certs</tt>. Replaced with <tt>SSL_CTX_get_extra_chain_certs_only()</tt><br />
<br />
== Things that Broke in TianoCore/EDKII ==<br />
<br />
EDKII is the reference implementation of UEFI firmware.<br />
<br />
* Various implicit inclusions of <tt>&lt;openssl/bn.h&gt;</tt> and <tt>&lt;openssl/rsa.h&gt;</tt> needed to be made explicit. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/8d7d32c1 (commit)]''<br />
* <tt>X509_NAME->bytes->{data,length}</tt>. Replaced with <tt>i2d_X509_NAME()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/e192c51b (commit)]''<br />
* <tt>X509_ATTRIBUTE->{object,value}</tt>. Replaced with <tt>X509_ATTRIBUTE_get0_object()</tt> and <tt>X509_ATTRIBUTE_get0_type()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/1bd8ee96 (commit)]''<br />
* <tt>ASN1_OBJECT->{length,data}</tt>. Replaced with <tt>OBJ_get0_data()</tt> and <tt>OBJ_length()</tt>. With backward-compatibility <tt>#define</tt> of same. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/6a7a36edc (commit)]''</div>Kurthttps://wiki.openssl.org/index.php?title=OpenSSL_1.1.0_Changes&diff=2404OpenSSL 1.1.0 Changes2016-06-15T20:24:05Z<p>Kurt: Add example of backward compatible macro</p>
<hr />
<div>This is a parent page for discussion about API changes being done for OpenSSL version 1.1<br />
<br />
The overall goal of this project is to make most data structures opaque to applications. This provides us with a number of benefits:<br />
* We can add fields without breaking [[Binary_Compatibility|binary compatibility]]<br />
* Applications are more robust and can be more assured about correctness<br />
* It helps us determine which (new) accessors and settors, for example, are needed<br />
<br />
Please add sub-pages to discuss particular parts of the library as work progresses.<br />
<br />
== Major Changes so far ==<br />
<br />
* All structures in libssl public header files have been removed so that they are "opaque" to library users. You should use the provided accessor functions instead<br />
* The old DES API has been removed<br />
* bn, a sub library in libcrypto, has been made opaque<br />
* Access to deprecated functions/macros has been removed by default. To enable access you must do two things. 1) Build OpenSSL with deprecation support (pass "enable-deprecated" as an argument to config) 2) Applications must define "OPENSSL_USE_DEPRECATED" before including OpenSSL header files<br />
* HMAC_Init and HMAC_cleanup were previously stated in the docs and header files as being deprecated - but were not flagged in previous versions with OPENSSL_NO_DEPRECATED. This has been corrected in 1.1.0. Access to these functions/macros will be off by default in 1.1.0 as per the note above about deprecation.<br />
<br />
== OPENSSL_API_COMPAT ==<br />
<br />
Various functions get deprecated as other interfaces get added, but are still available in a default build.<br />
The include files support setting the OPENSSL_API_COMPAT define that will hide functions that are deprecated in the selected version.<br />
To select the 1.1.0 version use -DOPENSSL_API_COMPAT=0x10100000L.<br />
<br />
== Backward compatibility ==<br />
<br />
Since some structures have become opaque you can't directly access the member any more. You might need to create backward compatible macros or functions if you still want to support older versions of OpenSSL. A suggested way of doing that is:<br />
<br />
<code><br />
#if OPENSSL_VERSION_NUMBER < 0x10100000L<br />
#define OBJ_get0_data(o) ((o)->data)<br />
#define OBJ_length(o) ((o)->length)<br />
#endif<br />
</code><br />
<br />
== Things that Broke in Qt ==<br />
<br />
Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.<br />
<br />
* DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1). Another option suggested by Steve Henson is to save the DHparams we're using at the moment then use d2i_DHparams to load them in. This is compatible with openssl versions that don't have the dh_auto option.<br />
<br />
* ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) [Fixed in dev]<br />
<br />
* session->tlsext_tick_lifetime_hint - we were directly accessing the lifetime hint of the session. [A new API to access this field has been added]<br />
<br />
* cipher->valid - we were directly accessing the valid field of SSL_CIPHER. No replacement found. [This turned out not to be needed and so will be removed].<br />
<br />
== Things that Broke in Curl ==<br />
<br />
* SSL_SESSION->ssl_version. Replaced with SSL_version(SSL *)<br />
<br />
== Things that Broke in wget ==<br />
<br />
* SSL->state. Replaced with SSL_state(SSL *)<br />
<br />
== Things that Broke in Apache Traffic Manager ==<br />
<br />
* Setting SSL->rbio without setting SSL->wbio. New function introduction in 1.1.0 to handle this: SSL_set_rbio()<br />
<br />
== Things that Broke in OpenConnect ==<br />
<br />
In order to simulate "resume" of a DTLS session which never really existed but which was actually negotiated over the VPN control connection, [http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147 this code] in the [http://www.infradead.org/openconnect/ OpenConnect VPN client] needs to set the following fields in a new <tt>SSL_SESSION</tt>:<br />
* <tt>->ssl_version</tt><br />
* <tt>->cipher{,_id}</tt><br />
* <tt>->master_key{,_length}</tt><br />
* <tt>->session_id{,_length}</tt><br />
<br />
This was fixed with [http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/5abb133f this OpenConnect commit] which makes it create the ASN.1 representation of the session and import it with <tt>d2i_SSL_SESSION()</tt>. This is done conditionally in the above patch because it depends on the [http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=af674d4e20a82c2a98767b837072d7093c70b1cf fix in openssl HEAD] for <tt>d2i_SSL_SESSION()</tt> to make it cope with <tt>DTLS1_BAD_VER</tt> <i>([http://rt.openssl.org/Ticket/Display.html?id=3704 RT#3704])</i>.<br />
<br />
Other simpler things which broke:<br />
* <tt>SSL_CIPHER->id</tt>. Replaced with <tt>SSL_CIPHER_get_id()</tt><br />
* <tt>SSL_CTX->extra_certs</tt>. Replaced with <tt>SSL_CTX_get_extra_chain_certs_only()</tt><br />
<br />
== Things that Broke in TianoCore/EDKII ==<br />
<br />
EDKII is the reference implementation of UEFI firmware.<br />
<br />
* Various implicit inclusions of <tt>&lt;openssl/bn.h&gt;</tt> and <tt>&lt;openssl/rsa.h&gt;</tt> needed to be made explicit. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/8d7d32c1 (commit)]''<br />
* <tt>X509_NAME->bytes->{data,length}</tt>. Replaced with <tt>i2d_X509_NAME()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/e192c51b (commit)]''<br />
* <tt>X509_ATTRIBUTE->{object,value}</tt>. Replaced with <tt>X509_ATTRIBUTE_get0_object()</tt> and <tt>X509_ATTRIBUTE_get0_type()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/1bd8ee96 (commit)]''<br />
* <tt>ASN1_OBJECT->{length,data}</tt>. Replaced with <tt>OBJ_get0_data()</tt> and <tt>OBJ_length()</tt>. With backward-compatibility <tt>#define</tt> of same. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/6a7a36edc (commit)]''</div>Kurthttps://wiki.openssl.org/index.php?title=OpenSSL_1.1.0_Changes&diff=2403OpenSSL 1.1.0 Changes2016-06-15T20:02:00Z<p>Kurt: Add OPENSSL_API_COMPAT</p>
<hr />
<div>This is a parent page for discussion about API changes being done for OpenSSL version 1.1<br />
<br />
The overall goal of this project is to make most data structures opaque to applications. This provides us with a number of benefits:<br />
* We can add fields without breaking [[Binary_Compatibility|binary compatibility]]<br />
* Applications are more robust and can be more assured about correctness<br />
* It helps us determine which (new) accessors and settors, for example, are needed<br />
<br />
Please add sub-pages to discuss particular parts of the library as work progresses.<br />
<br />
== Major Changes so far ==<br />
<br />
* All structures in libssl public header files have been removed so that they are "opaque" to library users. You should use the provided accessor functions instead<br />
* The old DES API has been removed<br />
* bn, a sub library in libcrypto, has been made opaque<br />
* Access to deprecated functions/macros has been removed by default. To enable access you must do two things. 1) Build OpenSSL with deprecation support (pass "enable-deprecated" as an argument to config) 2) Applications must define "OPENSSL_USE_DEPRECATED" before including OpenSSL header files<br />
* HMAC_Init and HMAC_cleanup were previously stated in the docs and header files as being deprecated - but were not flagged in previous versions with OPENSSL_NO_DEPRECATED. This has been corrected in 1.1.0. Access to these functions/macros will be off by default in 1.1.0 as per the note above about deprecation.<br />
<br />
== OPENSSL_API_COMPAT ==<br />
<br />
Various functions get deprecated as other interfaces get added, but are still available in a default build.<br />
The include files support setting the OPENSSL_API_COMPAT define that will hide functions that are deprecated in the selected version.<br />
To select the 1.1.0 version use -DOPENSSL_API_COMPAT=0x10100000L.<br />
<br />
== Things that Broke in Qt ==<br />
<br />
Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.<br />
<br />
* DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1). Another option suggested by Steve Henson is to save the DHparams we're using at the moment then use d2i_DHparams to load them in. This is compatible with openssl versions that don't have the dh_auto option.<br />
<br />
* ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) [Fixed in dev]<br />
<br />
* session->tlsext_tick_lifetime_hint - we were directly accessing the lifetime hint of the session. [A new API to access this field has been added]<br />
<br />
* cipher->valid - we were directly accessing the valid field of SSL_CIPHER. No replacement found. [This turned out not to be needed and so will be removed].<br />
<br />
== Things that Broke in Curl ==<br />
<br />
* SSL_SESSION->ssl_version. Replaced with SSL_version(SSL *)<br />
<br />
== Things that Broke in wget ==<br />
<br />
* SSL->state. Replaced with SSL_state(SSL *)<br />
<br />
== Things that Broke in Apache Traffic Manager ==<br />
<br />
* Setting SSL->rbio without setting SSL->wbio. New function introduction in 1.1.0 to handle this: SSL_set_rbio()<br />
<br />
== Things that Broke in OpenConnect ==<br />
<br />
In order to simulate "resume" of a DTLS session which never really existed but which was actually negotiated over the VPN control connection, [http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147 this code] in the [http://www.infradead.org/openconnect/ OpenConnect VPN client] needs to set the following fields in a new <tt>SSL_SESSION</tt>:<br />
* <tt>->ssl_version</tt><br />
* <tt>->cipher{,_id}</tt><br />
* <tt>->master_key{,_length}</tt><br />
* <tt>->session_id{,_length}</tt><br />
<br />
This was fixed with [http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/5abb133f this OpenConnect commit] which makes it create the ASN.1 representation of the session and import it with <tt>d2i_SSL_SESSION()</tt>. This is done conditionally in the above patch because it depends on the [http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=af674d4e20a82c2a98767b837072d7093c70b1cf fix in openssl HEAD] for <tt>d2i_SSL_SESSION()</tt> to make it cope with <tt>DTLS1_BAD_VER</tt> <i>([http://rt.openssl.org/Ticket/Display.html?id=3704 RT#3704])</i>.<br />
<br />
Other simpler things which broke:<br />
* <tt>SSL_CIPHER->id</tt>. Replaced with <tt>SSL_CIPHER_get_id()</tt><br />
* <tt>SSL_CTX->extra_certs</tt>. Replaced with <tt>SSL_CTX_get_extra_chain_certs_only()</tt><br />
<br />
== Things that Broke in TianoCore/EDKII ==<br />
<br />
EDKII is the reference implementation of UEFI firmware.<br />
<br />
* Various implicit inclusions of <tt>&lt;openssl/bn.h&gt;</tt> and <tt>&lt;openssl/rsa.h&gt;</tt> needed to be made explicit. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/8d7d32c1 (commit)]''<br />
* <tt>X509_NAME->bytes->{data,length}</tt>. Replaced with <tt>i2d_X509_NAME()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/e192c51b (commit)]''<br />
* <tt>X509_ATTRIBUTE->{object,value}</tt>. Replaced with <tt>X509_ATTRIBUTE_get0_object()</tt> and <tt>X509_ATTRIBUTE_get0_type()</tt> ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/1bd8ee96 (commit)]''<br />
* <tt>ASN1_OBJECT->{length,data}</tt>. Replaced with <tt>OBJ_get0_data()</tt> and <tt>OBJ_length()</tt>. With backward-compatibility <tt>#define</tt> of same. ''[http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/6a7a36edc (commit)]''</div>Kurt