On 26/02/2019 06:22, John Jiang wrote: > Is it possible to check if peer implements middlebox compatibility by > s_server/s_client? > It looks the test tools don't care this point. > For example, if a server doesn't send change_cipher_spec after > HelloRetryRequest, s_client still feels fine.That's not bad. But can I setup > these tools to check middlebox compatibility? By default s_server/s_client will have middlebox compatibility on. You can turn it off using the option "-no_middlebox". There is no option to directly tell you if an endpoint is using middlebox compatibility mode or not. You could figure it out indirectly by using the "-debug" option. This shows you the raw data that is being sent/received by the endpoints. Assuming TLSv1.3 has been negotiated then a remote peer is using middlebox compatibility if you see a sequence like this during the handshake: read from 0x557afedffb60 [0x557afee057d3] (5 bytes => 5 (0x5)) 0000 - 14 03 03 00 01 ..... read from 0x557afedffb60 [0x557afee057d8] (1 bytes => 1 (0x1)) 0000 - 01 Matt
