[openssl-dev] FW: 1.1 master fails mac-then-encrypt test

[Matt Caswell]

On 28/11/16 21:58, Blumenthal, Uri - 0553 - MITLL wrote:
>> I can't reproduce this. But on the other hand I don't have previous
>     >installation on --prefix. 
> 
> But did you add “enable-tls1_3” to your config?
> 
>     >I mean I would guess this is because test
>     >program picks shared libraries at --prefix locations instead of just
>     >built ones, and those don't recognize 19-mac-then-encrypt.conf options.
>     >Originally shlib_wrap.sh had DYLD_INSERT_LIBRARIES to make it work, but
>     >it appears to be gone now... You should be able to confirm this by
>     >temporarily renaming --prefix location and running 'make test' or
>     >forcing install without testing...
> 
> I forced the install without testing, and then re-ran the entire build and test. I’m getting the very same problem.  I must also say that I’ve been tracking 1.1 branch for a very long time, always using this approach (without even forcing the install – it did not seem confused regarding what libraries to link against). 
> 
> The only thing that changed for this build now was addition of “enable-tls1_3” config option (and of course, pulling the latest stuff from the master).
> 
> Removing “enable-tls1_3” and reconfiguring makes this error disappear. So I think it’s somewhere in tls1_3 code. ;-)

The problem is in the test. Version negotiation happens before cipher
selection. The test creates a connection which negotiates TLSv1.3. It
then attempts to select a cipher. However no TLSv1.3 ciphers are offered
by the test so the connection aborts. In truth the test is all about
mac-then-encrypt which doesn't apply to TLSv1.3 anyway, so the test
should just disable negotiation of that protocol version.

Matt