Is TLS1.2 server mode supported by provider? #484
Description
Hello, we're using gost-engine (as engine) with Nginx and it works fine with TLS 1.2.
There were PR merged into master that brings support of TLS1.3 for provider. And it works perfectly fine, which is great.
So TLS1.2 is working great with engine and TLS1.3 working great with provider. However we're struggling to make TLS1.2 work together with TLS1.3.
TLS1.3 is not supported by engine at all, but if I try TLS1.2 with provider I get:
SSL_CTX_set_cipher_list("GOST2012-MAGMA-MAGMAOMAC:GOST2012-KUZNYECHIK-KUZNYECHIKOMAC") failed (SSL: error:0A0000B9:SSL routines::no cipher match)
That's probably related?
I couldn't find any direct mention that "TLS12 is not supported by provider", but from Readme
Provider:
This is currently work in progress, with only a subset of all intended functionality implemented: symmetric ciphers, hashes and MACs.
and from TLS13 the above PR:
Implementation was focused on the functionality necessary for running the TLS 1.3 protocol with GOST. Support for TLS versions below 1.3 was not considered or implemented.
I can make guess that TLS12 is not supported by provider and make server run with TLS12+TLS13 is not feasible at the moment.
Can you please confirm? Or maybe I'm doing something wrong and it should actually work.
Appreciate your help in advance!
Will duplicate in Russian below, in case it speed up conversation a bit :)
Привет, мы используем gost-engine в режиме engine в нашем Nginx. Он работает прекрасно с TLS12.
Недавно в мастер был слит PR, который добавляет поддержку TLS13 и он так же работает прекрасно.
Таким образом TLS12 замечательно работает в режиме engine, TLS13 в режиме provider. Но нам не удается заставить TLS12 и TLS13 работать одновременно. Как я понимаю engine не поддерживает TLS13. А когда используем провайдер получаем такую ошибку:
SSL_CTX_set_cipher_list("GOST2012-MAGMA-MAGMAOMAC:GOST2012-KUZNYECHIK-KUZNYECHIKOMAC") failed (SSL: error:0A0000B9:SSL routines::no cipher match)
Возможно это связано?
Не удалось найти прямого упоминания о том поддерживает ли provider TLS12, но исходя из того что написано в Readme:
Provider:
This is currently work in progress, with only a subset of all intended functionality implemented: symmetric ciphers, hashes and MACs.
и PR выше
Implementation was focused on the functionality necessary for running the TLS 1.3 protocol with GOST. Support for TLS versions below 1.3 was not considered or implemented.
кажется, что НЕТ. Подскажите так ли это или мы что то делаем не так?
Заранее благодарен за помощь!