Use TLSv1.3 as default for Cross Site

[pruivo]

No description provided.

[tristantarrant]

Can't we just set TLS and let the handshake figure the best ?

[pruivo]

Can't we just set TLS and let the handshake figure the best ?

Sure; I had the idea that we want to force TLS 1.3 everywhere.
If both the server and gossip-router support TLS 1.2 and TLS 1.3, which version will the protocol choose?

[tristantarrant]

I created a small Java SSL client:

public class SSLTool
{
    public static void main( String[] args ) throws IOException {
        SslContextFactory factory = new SslContextFactory();
        factory
              .keyStoreFileName("server.pfx")
              .keyStorePassword("secret")
              .keyAlias("server")
              .trustStoreFileName("ca.pfx")
              .trustStorePassword("secret")
              .provider("openssl");
        SSLContext context = factory.getContext();
        try (SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket("localhost", 12001)) {
            SSLSession session = socket.getSession();
            System.out.printf("Provider = %s%n", context.getProvider().getName());
            System.out.printf("Protocol = %s%n", session.getProtocol());
            System.out.printf("Cipher suite = %s%n", session.getCipherSuite());
        }
    }
}

And both SunJSSE and openssl providers return the following:

Provider = SunJSSE
Protocol = TLSv1.3
Cipher suite = TLS_AES_256_GCM_SHA384

Provider = openssl
Protocol = TLSv1.3
Cipher suite = TLS_AES_256_GCM_SHA384

[pruivo]

keeping this on hold until we have a server image with JGRP-2638

[ryanemerson]

@pruivo Is this included in 14.0.0.Final?

[pruivo]

@ryanemerson no, it isn't. Part of the fix is in JGroups code and we didn't upgrade yet.

[ryanemerson]

Thanks for the update. Just let me know when the time is right 👍