[openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD
Matt Caswell
matt at openssl.org
Tue Mar 3 14:43:17 UTC 2015
On 03/03/15 14:28, David Woodhouse wrote:
> On Tue, 2015-03-03 at 12:00 +0000, Matt Caswell wrote:
>>
>>> I'll look at adding test cases to exercise the DTLS_BAD_VER support,
>> to
>>> try to avoid this kind of thing happening in future.
>>>
>>
>> That would be fantastic to have.
>
> I look a quick look at this. Adding DTLSv1 and DTLSv1.2 support to
> ssl/ssltest.c isn't particularly hard,
If you fancy taking on that task, that would be really useful just in
itself.
> but we don't actually *have*
> server support for DTLS1_BAD_VER.
>
> I suppose I could fix it up, but it doesn't seem to make a lot of sense.
Agreed.
> It's the wrong thing to test against *anyway* since there are plenty of
> failure modes in which a regression could be introduced in generic code
> and OpenSSL would remain compatible with *itself* anyway.
>
> So I'm torn between doing a minimal reimplementation of the server side
> and making OpenSSL talk to that, or a dirty replay attack such as the
> one I had when I was first working it out:
> http://david.woodhou.se/dtls-test.c
>
The minimal reimplementation sounds like it might be the more flexible
base to work from (and could even be the basis for future DTLSv1/1.2
tests). But it also sounds like quite a bit more work to me. Either way,
having *some* tests has got to be a lot better than *no* tests like we
have now!
Matt
More information about the openssl-dev
mailing list