Re: Call for testing TLS 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


2018-06-20 17:01 GMT+08:00 Matt Caswell <matt@xxxxxxxxxxx>:


On 20/06/18 07:11, John Jiang wrote:
> 2018-06-19 6:21 GMT+08:00 Matt Caswell <matt@xxxxxxxxxxx
> <mailto:matt@xxxxxxxxxxx>>:
>
>
>
>     On 18/06/18 21:23, Hubert Kario wrote:
>     > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote:
>     >> On 08/06/18 02:48, John Jiang wrote:
>     >>> Is it possible to check Key/IV update feature via these tools?
>     >>> Thanks!
>     >>
>     >> Yes. See the "CONNECTED COMMANDS" sections of these pages:
>     >> https://www.openssl.org/docs/manmaster/man1/s_server.html
>     <https://www.openssl.org/docs/manmaster/man1/s_server.html>
>     >> https://www.openssl.org/docs/manmaster/man1/s_client.html
>     <https://www.openssl.org/docs/manmaster/man1/s_client.html>
>     >>
>     >> Basically typing "k" or "K" from an s_server/s_client session will issue
>     >> a KeyUpdate message. Using the capitalised form ("K"), additionally
>     >> requests a KeyUpdate from the peer.
>     >
>     > Are there similar commands to perform or control post-handshake client
>     > authentication?
>
>     Yes. As mentioned on the above s_server link, type "c" from an s_server
>     session to send a certificate request to the client.
>
> With the mentioned pages, I don't get how to test 0-RTT.
> But it sounds that OpenSSL already supports this feature.

It is on those pages - just not in the "CONNECTED COMMANDS" section.

To test 0-RTT early data start s_server with the "-early_data" flag:

$ openssl s_server -early_data

Obtain a session that can later be used for sending early data:

$ openssl s_client -sess_out session.pem

Type "Q" in the s_client window to close the connection. Now you can do
a 0-RTT handshake and send early data (assuming the existence of a file
"myearlydata.dat" containing the early data you want to send):

$ openssl s_client -sess_in session.pem -early_data myearlydata.dat

If s_server doesn't use option -early_data, the NewSessionTicket won't contain early_data extension,
and then in the second connection, s_client won't send early data even option -early_data is used.
Right?
Is it possible to take s_client to send early data, even though the server don't support 0-RTT.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux