I have done some preliminary testing with 1.8.8-1ubuntu0.5, and most things look good.
However, in our case we have an old (external) client using java6 that we sadly still need to support for a while longer. Using the connection simulation in testssl.sh (and also ssllabs) I can see that connections from java6 now fails with our configuration where it previously succeeded. I suspect that this is not (directly) related to TLSv1.3. The problem with java6 is usually that it only supports dh parameters with 1024 bits (and TLSv1.0). According to testssl.sh the dh-parameters offered now is: DH group offered: RFC3526/Oakley Group 15 (3072 bits) Before the upgrade it was: DH group offered: HAProxy (1024 bits) I have tried generating custom dh parameters with 1024 bits and specifying them both with the default ssl-dh-param-file setting and directly in the certificate file. I have also tried disabling TLSv1.3 (using no-tlsv13). Neither seem to help. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841936 Title: Rebuild haproxy with openssl 1.1.1 will change features (bionic) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1841936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
