> On Mar 7, 2018, at 4:49 AM, Torsten Tributh via Exim-users <exim-users@???> wrote:
>
> Hi,
> if you want to use openssl you just have to add some TLSv1.3 Ciphers to
> the tls_require_ciphers.
> It must be TLS13-AES-128-GCM-SHA256 (openssl writing of the cipher)
>
> See the RFC details:
> 9.1. Mandatory-to-Implement Cipher Suites
>
> In the absence of an application profile standard specifying
> otherwise, a TLS-compliant application MUST implement the
> TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the
> TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256
> [RFC7539] cipher suites. (see Appendix B.4)
>
>
> If you miss to add one of these ciphers TLS connections with TLS1.3 will
> fail.
> When TLSv1.3 is available it will be automatically preferred.
>
> Already tested and running with OpenSSL 1.1.1-pre2-dev.
This may change, there's a high probability that TLS 1.3 ciphers will be
controlled via a separate interface, and will be on by default. Therefore,
initially Exim will not be able to disable or customize the standard TLS
1.3 ciphers, but they're all fine, so this is likely mostly for the better.
Later, Exim can add support to also manage TLS 1.3 ciphers (if desired).
Stay tuned.
--
Viktor.