> On Jun 18, 2018, at 3:12 PM, Ben Personick <ben.person...@iongroup.com> wrote:
>
> So essentially TLS 1.3 drops support for DH/DHE ciphers on RSA keys, but
> willl otherwise work as expected?
No, it drops support for *non* (EC)DHE RSA ciphers,
keeping *only* the (EC)DHE RSA ciphers, for specific
FFDHE groups (as before) specific ECDHE curves.
Note that (IIRC) the TLS 1.3 implementation in OpenSSL 1.1.1
will not include support the TLS 1.3 finite-field DHE groups,
and so TLS 1.3 interoperability with OpenSSL *requires* ECDHE
support. If your implementation offers TLS 1.3, but offers
no ECDHE signature algorithms, the handshake will (IIRC) likely
fail.
So what's becoming effectively mandatory with TLS 1.3 is
ECDHE key agreement, not ECDSA certificates, though TLS 1.3
clients really should also support connections to servers that
have ECDSA P-256, P-384, P-521, Ed25519 and Ed448 certificates.
But servers can stick with RSA certificates so long as they
are willing to do ECDHE key agreement.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
