Thursday, April 30, 2020

Re: How to enable TLS 1.3?

If it's not in the manpage it's probably not there.
I did gave a quick look through the relayd source, but from what I saw
there's no TLS1.3 support there.


On 4/30/20 3:55 PM, Chad Hoolie wrote:
> Any idea about relayd though? I don't see any mentioning of 1.3 in man relayd.conf:
>
> tls
> no tlsv1.2
> Disable the TLSv1.2 protocol. The default is to enable
> TLSv1.2.
>
> sslv3 Enable the SSLv3 protocol. The default is no sslv3.
>
> tlsv1 Enable all TLSv1 protocols. This is an alias that
> includes tlsv1.0, tlsv1.1, and tlsv1.2. The default is
> no tlsv1.
>
> tlsv1.0
> Enable the TLSv1.0 protocol. The default is no tlsv1.0.
>
> tlsv1.1
> Enable the TLSv1.1 protocol. The default is no tlsv1.1.
>
> --Chad
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, April 30, 2020 3:04 PM, Martijn van Duren <openbsd+misc@list.imperialat.at> wrote:
>
>> On 4/30/20 1:19 PM, Chad Hoolie wrote:
>>
>>> Hello,
>>> I'm using httpd with acme-client and Let's Encrypt (https://www.romanzolotarev.com/openbsd/acme-client.html).
>>> This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is needed to achieve A+ ratings across the board.
>>> Anybody know how to make the upgrade?
>>> --Chad
>>
>> httpd(8):
>> protocols string Specify the TLS protocols to enable for this server.
>> If not specified, the value "default" will be used (secure protocols;
>> TLSv1.2-only). Refer to the tls_config_parse_protocols(3) function for
>> other valid protocol string values.
>>
>> tls_config_parse_protocols(3):
>> Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all
>> supported protocols),
>>
>> untested, but seems pretty self-explanatory.
>
>

No comments:

Post a Comment