• Registered: 2019-09-24
  • Posts: 5

Topic: Testing TLS1.3

I made a build today using the latest wolfSSL source from https://github.com/wolfSSL/wolfssl/tree … crypt/src, defined WOLFSSL_TLS13 in user_settings.h and use 

method = wolfTLSv1_3_server_method();

when I initialize the wolfSSL library. But when I test with the latest version of Chrome it still uses TLS1.2 (though it is 6% slower, presumably because it's trying to use TLS1.3 and failing). In Chrome Developer Tools I see the following under "Security":

The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_ECDSA with P-256, and AES_128_GCM.

Wireshark capture confirms that TLS1.2 is being used.

What more must I do to force the use of TLS1.3?

Share

  • Registered: 2015-10-07
  • Posts: 430

Re: Testing TLS1.3

Hi bsda_dev,

I compared the generated wolfssl/options.h using ./configure and ./configure --enable-tls13 and the resulting build option differences are:

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define WC_RSA_PSS
#define HAVE_HKDF

I am surprised that server method would work and allow TLSv1.2, since it should not allow downgrade unless you are using the wolfSSLv23_server_method. Please also share your Wireshark trace. If you want to submit directly to our support email support@wolfssl.com and reference this forum post.

Thanks,
David Garske, wolfSSL

Share