crossbar
crossbar copied to clipboard
support TLS v1.3
currently, a node configured with best/state-of-the-art TLS configuration/certs looks like:
@meejah do you know if/when twisted has it?
AFAIK Twisted support should "come with" the underlying pyOpenSSL + OpenSSL libraries .. unless the actual Python-level APIs have to do something special to activate 1.3?
ok .. couple of more notes:
oberstet@intel-nuci7:~$ openssl version
OpenSSL 1.1.1 11 Sep 2018
oberstet@intel-nuci7:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
oberstet@intel-nuci7:~$
- https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-18.04-OpenSSL-1.1.1-TLS
- https://wiki.openssl.org/index.php/TLS1.3
- https://github.com/twisted/twisted/pull/1100
- https://twisted.readthedocs.io/en/twisted-20.3.0/core/howto/ssl.html#tls-protocol-options
and
options = CertificateOptions(..., raiseMinimumTo=TLSVersion.TLSv1_3)
more notes:
- https://stackoverflow.com/questions/68271994/disable-tls-1-3-in-twisted-python
- https://www.pyopenssl.org/en/stable/api/ssl.html?highlight=#OpenSSL.SSL.TLS1_3_VERSION
- https://twistedmatrix.com/documents/current/api/twisted.internet.ssl.CertificateOptions.html
twisted.internet.ssl.CertificateOptions:
raiseMinimumTo=ssl.TLSVersion.TLSv1_3
lowerMaximumSecurityTo=ssl.TLSVersion.TLSv1_3
we should also check and make sure the following default ciphers are enabled:
https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/ https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256/