TLS 1.3 Support

All editions of IPWorks include support for TLS 1.3. This is available in both client and server side components and can be enabled by setting SSLEnabledProtocols. For instance:

component.Config("SSLEnabledProtocols=12288"); //TLS 1.3

When enabled the component will automatically set UseInternalSecurityAPI to True and will not rely on any system libraries. The TLS13SignatureAlgorithms, TLS13SupportedGroups, and TLS13KeyShareGroups settings control the supported signature algorithms and key exchange groups respectively.

The following SSLEnabledCipherSuites are supported and enabled by default:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256

The following TLS13SignatureAlgorithms are supported and enabled by default:

• ed25519
• ed448
• ecdsa_secp256r1_sha256
• ecdsa_secp384r1_sha384
• ecdsa_secp521r1_sha512
• rsa_pkcs1_sha256
• rsa_pkcs1_sha384
• rsa_pkcs1_sha512
• rsa_pss_sha256
• rsa_pss_sha384
• rsa_pss_sha512

The TLS13SupportedGroups control the supported key exchange groups available for use with (EC)DHE during the key exchange. This list should not be modified in most cases. The following values are supported by default:

• ecdhe_x25519
• ecdhe_x448
• ecdhe_secp256r1
• ecdhe_secp384r1
• ecdhe_secp521r1
• ffdhe_2048
• ffdhe_3072
• ffdhe_4096
• ffdhe_6144
• ffdhe_8192

The TLS13KeyShareGroups control the list of groups for which key share values are pregenerated before connecting. When one of these groups is selected during negotiation it saves a round trip. The values below are selected for the best balance between supported values and computational resources required to pregenerate the data. In most cases this value does not need to be changed. The following TLS13KeyShareGroups are supported:

• ecdhe_x25519 (default)
• ecdhe_x448
• ecdhe_secp256r1 (default)
• ecdhe_secp384r1 (default)
• ecdhe_secp521r1
• ffdhe_2048 (default)
• ffdhe_3072 (default)
• ffdhe_4096
• ffdhe_6144
• ffdhe_8192