[openssl-users] Call for testing TLS 1.3

John Jiang john.sha.jiang at gmail.com
Fri Jun 8 01:48:13 UTC 2018


Is it possible to check Key/IV update feature via these tools?
Thanks!

2018-05-23 20:33 GMT+08:00 Matt Caswell <matt at openssl.org>:

>
>
> On 23/05/18 12:39, John Jiang wrote:
> > Hi,
> > If just using s_server and s_client, can I test the TLS 1.3 features,
> > likes HelloRetryRequest and resumption?
>
> Yes.
>
> To create a normal (full handshake) TLSv1.3 connection just use
> s_server/s_client in the normal way, e.g.
>
> $ openssl s_server -cert cert.pem -key key.pem
> $ openssl s_client
>
> To test resumption first create a full handshake TLSv1.3 connection and
> save the session:
>
> $ openssl s_server -cert cert.pem -key key.pem
> $ openssl s_client -sess_out session.pem
>
> Close the s_client instance by entering "Q" followed by enter. Then
> (without closing the s_server instance) resume the session:
>
> $ openssl s_client -sess_in session.pem
>
>
> A HelloRetryRequest will occur if the key share provided by the client
> is not acceptable to the server. By default the client will send an
> X25519 key share, so if the server does not accept that group then an
> HRR will result, e.g.
>
> $ openssl s_server -cert cert.pem -key key.pem -groups P-256
> $ openssl s_client
>
>
> Of course a HelloRetryRequest all happens at the protocol layer and is
> invisible as far as a user of the command line apps is concerned. You
> will have to look at what happens "on the wire" to actually see it in
> action - for example by using wireshark. Alternatively you can compile
> OpenSSL with the "enable-ssl-trace" option, and pass the "-trace" flag
> to s_server or s_client to see what protocol messages are being exchanged.
>
> Matt
>
>
>
> >
> > 2018-04-29 18:43 GMT+08:00 Kurt Roeckx <kurt at roeckx.be
> > <mailto:kurt at roeckx.be>>:
> >
> >     The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
> >     1.3 brings a lot of changes that might cause incompatibility. For
> >     an overview see https://wiki.openssl.org/index.php/TLS1.3
> >     <https://wiki.openssl.org/index.php/TLS1.3>
> >
> >     We are considering if we should enable TLS 1.3 by default or not,
> >     or when it should be enabled. For that, we would like to know how
> >     applications behave with the latest beta release.
> >
> >     When testing this, it's important that both sides of the
> >     connection support the same TLS 1.3 draft version. OpenSSL
> >     currently implements draft 26. We would like to see tests
> >     for OpenSSL acting as client and server.
> >
> >     https://github.com/tlswg/tls13-spec/wiki/Implementations
> >     <https://github.com/tlswg/tls13-spec/wiki/Implementations> lists
> >     other TLS 1.3 implementations and the draft they currently
> >     support. Note that the versions listed there might not be for the
> >     latest release. It also lists some https test servers.
> >
> >     We would really like to see a diverse set of applictions being
> >     tested. Please report any results you have to us.
> >
> >
> >     Kurt
> >
> >     --
> >     openssl-users mailing list
> >     To unsubscribe:
> >     https://mta.openssl.org/mailman/listinfo/openssl-users
> >     <https://mta.openssl.org/mailman/listinfo/openssl-users>
> >
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180608/c04088c6/attachment.html>


More information about the openssl-users mailing list