<div dir="ltr"><div>Is it possible to check Key/IV update feature via these tools?<br></div>Thanks!<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-23 20:33 GMT+08:00 Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 23/05/18 12:39, John Jiang wrote:<br>
> Hi,<br>
> If just using s_server and s_client, can I test the TLS 1.3 features,<br>
> likes HelloRetryRequest and resumption?<br>
<br>
</span>Yes.<br>
<br>
To create a normal (full handshake) TLSv1.3 connection just use<br>
s_server/s_client in the normal way, e.g.<br>
<br>
$ openssl s_server -cert cert.pem -key key.pem<br>
$ openssl s_client<br>
<br>
To test resumption first create a full handshake TLSv1.3 connection and<br>
save the session:<br>
<br>
$ openssl s_server -cert cert.pem -key key.pem<br>
$ openssl s_client -sess_out session.pem<br>
<br>
Close the s_client instance by entering "Q" followed by enter. Then<br>
(without closing the s_server instance) resume the session:<br>
<br>
$ openssl s_client -sess_in session.pem<br>
<br>
<br>
A HelloRetryRequest will occur if the key share provided by the client<br>
is not acceptable to the server. By default the client will send an<br>
X25519 key share, so if the server does not accept that group then an<br>
HRR will result, e.g.<br>
<br>
$ openssl s_server -cert cert.pem -key key.pem -groups P-256<br>
$ openssl s_client<br>
<br>
<br>
Of course a HelloRetryRequest all happens at the protocol layer and is<br>
invisible as far as a user of the command line apps is concerned. You<br>
will have to look at what happens "on the wire" to actually see it in<br>
action - for example by using wireshark. Alternatively you can compile<br>
OpenSSL with the "enable-ssl-trace" option, and pass the "-trace" flag<br>
to s_server or s_client to see what protocol messages are being exchanged.<br>
<br>
Matt<br>
<span class=""><br>
<br>
<br>
> <br>
> 2018-04-29 18:43 GMT+08:00 Kurt Roeckx <<a href="mailto:kurt@roeckx.be">kurt@roeckx.be</a><br>
</span>> <mailto:<a href="mailto:kurt@roeckx.be">kurt@roeckx.be</a>>>:<br>
<span class="">> <br>
> The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS<br>
> 1.3 brings a lot of changes that might cause incompatibility. For<br>
> an overview see <a href="https://wiki.openssl.org/index.php/TLS1.3" rel="noreferrer" target="_blank">https://wiki.openssl.org/<wbr>index.php/TLS1.3</a><br>
> <<a href="https://wiki.openssl.org/index.php/TLS1.3" rel="noreferrer" target="_blank">https://wiki.openssl.org/<wbr>index.php/TLS1.3</a>><br>
> <br>
> We are considering if we should enable TLS 1.3 by default or not,<br>
> or when it should be enabled. For that, we would like to know how<br>
> applications behave with the latest beta release.<br>
> <br>
> When testing this, it's important that both sides of the<br>
> connection support the same TLS 1.3 draft version. OpenSSL<br>
> currently implements draft 26. We would like to see tests<br>
> for OpenSSL acting as client and server.<br>
> <br>
> <a href="https://github.com/tlswg/tls13-spec/wiki/Implementations" rel="noreferrer" target="_blank">https://github.com/tlswg/<wbr>tls13-spec/wiki/<wbr>Implementations</a><br>
> <<a href="https://github.com/tlswg/tls13-spec/wiki/Implementations" rel="noreferrer" target="_blank">https://github.com/tlswg/<wbr>tls13-spec/wiki/<wbr>Implementations</a>> lists<br>
> other TLS 1.3 implementations and the draft they currently<br>
> support. Note that the versions listed there might not be for the<br>
> latest release. It also lists some https test servers.<br>
> <br>
> We would really like to see a diverse set of applictions being<br>
> tested. Please report any results you have to us.<br>
> <br>
> <br>
> Kurt<br>
> <br>
> -- <br>
> openssl-users mailing list<br>
> To unsubscribe:<br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</span>> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><wbr>><br>
<div class="HOEnZb"><div class="h5">> <br>
> <br>
> <br>
> <br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div></div></div>