Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support of server side TLS 1.3 #757

Closed
hfunke opened this issue Jul 24, 2020 · 7 comments
Closed

Support of server side TLS 1.3 #757

hfunke opened this issue Jul 24, 2020 · 7 comments

Comments

@hfunke
Copy link

hfunke commented Jul 24, 2020

Hi!
Since 2005 I’m using bouncy castle in open source software and I’m happy that bouncy castle supports now in version 1.66 also client side TLS 1.3. Is there a roadmap for server side TLS 1.3? I‘m sure several developers are still waiting for TLS 1.3 to use it in their projects (e.g. see issue #345).
Thanks for your support :)
Holger
@peterdettman
Copy link
Collaborator

Actually 1.66 does not support client-side TLS 1.3, although it's quite close to complete and is being tested by a few beta testers. In 1.66 we added the PSS signature schemes from RFC 8446 and made those available in TLS 1.2 (per RFC 8446 1.3 Updates Affecting TLS 1.2 - all of which are now done).

To your question though, server-side TLS 1.3 is already being worked on and should be entering a beta test phase within the next few weeks. All going well there is a reasonable chance of it being in the next feature release.

@rdicroce
Copy link
Contributor

rdicroce commented Oct 5, 2020

Any update on this? If it's not finished, what parts aren't done yet? Just wondering if it's complete enough to be usable for a project I'm expecting to work on soon.

@peterdettman
Copy link
Collaborator

I am in the process of completing HelloRetryRequest support in the server and that is the last feature needed for basic functionality. However there are several dozen TODOs for smaller bits and pieces that might preclude production usage before the end of the year.

I should point out that if your plans revolve around new user-visible TLS 1.3 features like early data, external PSK, or half-closed sockets, these are not (yet) in scope for us.

@rdicroce
Copy link
Contributor

rdicroce commented Oct 7, 2020

Thanks for the reply. I won't need any of the features you listed, but I will need raw public keys (RFC 7250). Cached info (RFC 7924) would be nice to have. Have those been implemented? If not, I might have time to work on them in the near future.

@martin-robo
Copy link

martin-robo commented Feb 19, 2021
edited
Loading

Hi BC-Team, BC 1.68 states TLS 1.3 is now officially supported. But this issue is still open. Is there any specific reason?

Main reason I am writing is 0-RTT though. I must make sure my TLS server will never support this. JSSE seems to officially not support 0-RTT. I am using BCJSSE. You already have some code in the library but it seems to be never called. Did I get this right and it is currently not supported?
So until JSSE adds support of this somehow, 0-RTT won't be enabled with BCJSSE, right? I hope this question doesn't sound too stupid, but I really have to make sure.

@peterdettman
Copy link
Collaborator

@martin-robo No, we don't support 0-RTT and if it were ever added it would require explicit enabling rather than being automatic.

@peterdettman
Copy link
Collaborator

Server support for TLS 1.3 has been in for a while now, and is further improved in the imminent 1.69 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hfunke @rdicroce @martin-robo @peterdettman