[openssl-dev] Running against BoringSSL's SSL test suite
David Benjamin
davidben at google.com
Wed Mar 9 17:08:21 UTC 2016
On Wed, Mar 9, 2016 at 5:07 AM Kanaka Kotamarthy <kotamarthyd at gmail.com>
wrote:
> Hi
>
> I am even testing OpenSSL with BoringSSL's test cases using
> Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures
> for particular cases.
>
> DTLS 1.0 session resumption has some thing wrong. If s_server started
> with -dtls and s_client -dtls1 -reconnect , session resumption is not
> being done. The reason for this may be, version negotiation for DTLS
> is done after loading previous session and check for s->version and
> s->session->version fails in tls_process_client_hello.
>
See RT #4392.
https://rt.openssl.org/Ticket/Display.html?id=4392
> And also Openssl fails with Resume-Client-NoResume cases. Do you have
> any report on which test cases do fail and reasons for the failure?
>
RT tickets 4387 through 4395 were the failures I've triaged. I'm sure
there's more things in there to look through.
I don't believe Resume-Client-NoResume fails for me. Perhaps something was
fixed between master and 1.1.0-pre2.
David
> Thank you
> Durga.
>
> On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin <davidben at google.com>
> wrote:
> > Hi folks,
> >
> > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I
> was
> > bored and ran it against OpenSSL master. It revealed a number of bugs.
> One
> > is https://github.com/openssl/openssl/pull/603. I'll be filing tickets
> > shortly for the remaining ones I've triaged, but I thought I'd send this
> > separately rather than duplicate it everywhere.
> >
> > Emilia also suggested there may be room to collaborate on testing. If
> > nothing else, just borrowing ideas or porting tests to/from your TLSProxy
> > setup. (Like, say, the ones that caught the bugs I'll be reporting. :-) )
> > So, here's an introduction on how it all works:
> >
> > To run the tests on OpenSSL, clone BoringSSL:
> > https://boringssl.googlesource.com/boringssl/
> > Then patch in this change. (Click the "Download" in the upper-right for
> > options.)
> > https://boringssl-review.googlesource.com/#/c/7332/
> > Then follow the instructions in the commit message.
> >
> > The tests themselves and the runner logic live in
> ssl/test/runner/runner.go:
> >
> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922
> >
> > They work by running an unmodified TLS stack in a shim binary against a
> copy
> > of Go's. We patch our copy with options for weird behavior to test
> against:
> >
> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414
> >
> > Go and shim communicate entirely with sockets and (tons of) command-line
> > flags, though it is slightly overfit to BoringSSL's behavior and checks
> > error strings a lot. The shim also has options like -async mode which we
> use
> > on a subset of tests to stress state machine resumption. (This has saved
> me
> > from state machine bugs so many times.)
> >
> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770
> >
> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826
> >
> > I hope this is useful! Bugs and patches will follow this mail, as I write
> > them up.
> >
> > David
> >
> > --
> > openssl-dev mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> >
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160309/61fb20d5/attachment.html>
More information about the openssl-dev
mailing list