[openssl-users] Call for testing TLS 1.3

John Jiang john.sha.jiang at gmail.com
Thu Jun 21 09:44:22 UTC 2018 

2018-06-20 17:01 GMT+08:00 Matt Caswell <matt at openssl.org>:

>
>
> On 20/06/18 07:11, John Jiang wrote:
> > 2018-06-19 6:21 GMT+08:00 Matt Caswell <matt at openssl.org
> > <mailto:matt at openssl.org>>:
> >
> >
> >
> >     On 18/06/18 21:23, Hubert Kario wrote:
> >     > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote:
> >     >> On 08/06/18 02:48, John Jiang wrote:
> >     >>> Is it possible to check Key/IV update feature via these tools?
> >     >>> Thanks!
> >     >>
> >     >> Yes. See the "CONNECTED COMMANDS" sections of these pages:
> >     >> https://www.openssl.org/docs/manmaster/man1/s_server.html
> >     <https://www.openssl.org/docs/manmaster/man1/s_server.html>
> >     >> https://www.openssl.org/docs/manmaster/man1/s_client.html
> >     <https://www.openssl.org/docs/manmaster/man1/s_client.html>
> >     >>
> >     >> Basically typing "k" or "K" from an s_server/s_client session
> will issue
> >     >> a KeyUpdate message. Using the capitalised form ("K"),
> additionally
> >     >> requests a KeyUpdate from the peer.
> >     >
> >     > Are there similar commands to perform or control post-handshake
> client
> >     > authentication?
> >
> >     Yes. As mentioned on the above s_server link, type "c" from an
> s_server
> >     session to send a certificate request to the client.
> >
> > With the mentioned pages, I don't get how to test 0-RTT.
> > But it sounds that OpenSSL already supports this feature.
>
> It is on those pages - just not in the "CONNECTED COMMANDS" section.
>
> To test 0-RTT early data start s_server with the "-early_data" flag:
>
> $ openssl s_server -early_data
>
> Obtain a session that can later be used for sending early data:
>
> $ openssl s_client -sess_out session.pem
>
> Type "Q" in the s_client window to close the connection. Now you can do
> a 0-RTT handshake and send early data (assuming the existence of a file
> "myearlydata.dat" containing the early data you want to send):
>
> $ openssl s_client -sess_in session.pem -early_data myearlydata.dat
>
> If s_server doesn't use option -early_data, the NewSessionTicket won't
contain early_data extension,
and then in the second connection, s_client won't send early data even
option -early_data is used.
Right?
Is it possible to take s_client to send early data, even though the server
don't support 0-RTT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180621/bd94b0e1/attachment.html>

More information about the openssl-users mailing list