On Wednesday, 27 February 2019 03:24:38 CET John Jiang wrote: > I had tried TLS Fuzzer, and it worked for me. > I just wished that OpenSSL can do the similar things. The problem is that the middlebox compatibility mode is not defined strictly by the standard, and while all the popular TLS libraries (OpenSSL, Mozilla NSS, GnuTLS) agree on where the CCS should be inserted in the handshake, placing it in other locations may be necessary for some specific middleboxes. IOW, there is no one correct location for CCS, so if openssl just reported that the CCS was received (or if it was received at one specific place in handshake), it could be misleading. Also, let's be clear, middlebox compatibility mode is a thing because of bugs in other implementations, so it's better to spend time on basically anything else than polishing stuff around it > On Tue, Feb 26, 2019 at 9:56 PM Hubert Kario <hkario@xxxxxxxxxx> wrote: > > On Tuesday, 26 February 2019 07:22:52 CET John Jiang wrote: > > > Is it possible to check if peer implements middlebox compatibility by > > > s_server/s_client? > > > It looks the test tools don't care this point. > > > For example, if a server doesn't send change_cipher_spec after > > > HelloRetryRequest, s_client still feels fine.That's not bad. But can I > > > setup these tools to check middlebox compatibility? > > > > As Matt said, there's no human-readable output that shows that. > > > > tlsfuzzer does verify if the server sends ChangeCipherSpec and at what > > point in the connection (all scripts expect it right after ServerHello or > > right after HelloRetryRequest depending on connection). > > > > You can use > > > > https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-conve > > rsation.py > > https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-hrr. > > py and > > > > https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-sessi > > on-resumption.py respectively to test regular handshake, one with > > HelloRetryRequest and one that performs session resumption. > > > > -- > > Regards, > > Hubert Kario > > Senior Quality Engineer, QE BaseOS Security team > > Web: www.cz.redhat.com > > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
