Re: [exim] TLS 1.3

Top Page
Delete this message
Reply to this message
Author: Torsten Tributh
Date:  
To: exim-users
Subject: Re: [exim] TLS 1.3
On 3/7/18 10:13 AM, Cyborg via Exim-users wrote:
> Hi,
>
> when TLS 1.3 is released, will Exim automatically able to use it if
> openssl supports it ?
>
> Do we have to make config changes to prefer 1.3 over 1.2 ( just in case
> ;) ) ?
>
> best regards,
> Marius
>

Hi,
if you want to use openssl you just have to add some TLSv1.3 Ciphers to
the tls_require_ciphers.
It must be TLS13-AES-128-GCM-SHA256 (openssl writing of the cipher)

See the RFC details:
9.1. Mandatory-to-Implement Cipher Suites

In the absence of an application profile standard specifying
otherwise, a TLS-compliant application MUST implement the
TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the
TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256
[RFC7539] cipher suites. (see Appendix B.4)


If you miss to add one of these ciphers TLS connections with TLS1.3 will
fail.
When TLSv1.3 is available it will be automatically preferred.

Already tested and running with OpenSSL 1.1.1-pre2-dev.
Cheers


--
Torsten