On 08/06/18 02:48, John Jiang wrote: > Is it possible to check Key/IV update feature via these tools? > Thanks! Yes. See the "CONNECTED COMMANDS" sections of these pages: https://www.openssl.org/docs/manmaster/man1/s_server.html https://www.openssl.org/docs/manmaster/man1/s_client.html Basically typing "k" or "K" from an s_server/s_client session will issue a KeyUpdate message. Using the capitalised form ("K"), additionally requests a KeyUpdate from the peer. Matt > > 2018-05-23 20:33 GMT+08:00 Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>>: > > > > On 23/05/18 12:39, John Jiang wrote: > > Hi, > > If just using s_server and s_client, can I test the TLS 1.3 features, > > likes HelloRetryRequest and resumption? > > Yes. > > To create a normal (full handshake) TLSv1.3 connection just use > s_server/s_client in the normal way, e.g. > > $ openssl s_server -cert cert.pem -key key.pem > $ openssl s_client > > To test resumption first create a full handshake TLSv1.3 connection and > save the session: > > $ openssl s_server -cert cert.pem -key key.pem > $ openssl s_client -sess_out session.pem > > Close the s_client instance by entering "Q" followed by enter. Then > (without closing the s_server instance) resume the session: > > $ openssl s_client -sess_in session.pem > > > A HelloRetryRequest will occur if the key share provided by the client > is not acceptable to the server. By default the client will send an > X25519 key share, so if the server does not accept that group then an > HRR will result, e.g. > > $ openssl s_server -cert cert.pem -key key.pem -groups P-256 > $ openssl s_client > > > Of course a HelloRetryRequest all happens at the protocol layer and is > invisible as far as a user of the command line apps is concerned. You > will have to look at what happens "on the wire" to actually see it in > action - for example by using wireshark. Alternatively you can compile > OpenSSL with the "enable-ssl-trace" option, and pass the "-trace" flag > to s_server or s_client to see what protocol messages are being > exchanged. > > Matt > > > > > > > 2018-04-29 18:43 GMT+08:00 Kurt Roeckx <kurt@xxxxxxxxx <mailto:kurt@xxxxxxxxx> > > <mailto:kurt@xxxxxxxxx <mailto:kurt@xxxxxxxxx>>>: > > > > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > > 1.3 brings a lot of changes that might cause incompatibility. For > > an overview see https://wiki.openssl.org/index.php/TLS1.3 > <https://wiki.openssl.org/index.php/TLS1.3> > > <https://wiki.openssl.org/index.php/TLS1.3 > <https://wiki.openssl.org/index.php/TLS1.3>> > > > > We are considering if we should enable TLS 1.3 by default or not, > > or when it should be enabled. For that, we would like to know how > > applications behave with the latest beta release. > > > > When testing this, it's important that both sides of the > > connection support the same TLS 1.3 draft version. OpenSSL > > currently implements draft 26. We would like to see tests > > for OpenSSL acting as client and server. > > > > https://github.com/tlswg/tls13-spec/wiki/Implementations > <https://github.com/tlswg/tls13-spec/wiki/Implementations> > > <https://github.com/tlswg/tls13-spec/wiki/Implementations > <https://github.com/tlswg/tls13-spec/wiki/Implementations>> lists > > other TLS 1.3 implementations and the draft they currently > > support. Note that the versions listed there might not be for the > > latest release. It also lists some https test servers. > > > > We would really like to see a diverse set of applictions being > > tested. Please report any results you have to us. > > > > > > Kurt > > > > -- > > openssl-users mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > <https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users>> > > > > > > > > > -- > openssl-users mailing list > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
