Re: Call for testing TLS 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 29/04/18 06:43 AM, Kurt Roeckx wrote:

The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
1.3 brings a lot of changes that might cause incompatibility. For
an overview see https://wiki.openssl.org/index.php/TLS1.3


Looking at https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
there are five pure TLSv1.3 ciphersuites listed. At the moment the
OpenSSL 1.1.1-pre5 utters :

n0$ LD_LIBRARY_PATH=`pwd` apps/openssl ciphers -v | grep " TLSv1\.3 "
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD 
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
n0$

So using a client connect test to apache means build up a separate
instance ( and toolchain perhaps ) running with pre4 beta only and a
self cert and then ... isolate to only TLS_AES_256_GCM_SHA384 ( for
example ) in the apache ssl config. This will take some days just for
an initial test framework and then try :
n0$ LD_LIBRARY_PATH=`pwd` apps/openssl s_client -connect www.tls13.net:443 -tls1_3 
CONNECTED(00000004)
4294967296:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1569:SSL alert number 40 
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 239 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1525051962
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
n0$

This should be fun to test.


https://github.com/tlswg/tls13-spec/wiki/Implementations lists
other TLS 1.3 implementations and the draft they currently
support. Note that the versions listed there might not be for the
latest release. It also lists some https test servers.


I'll take a look.

Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux