s_server/s_client on checking middlebox compatibility

Matt Caswell matt at openssl.org
Tue Feb 26 09:34:32 UTC 2019

On 26/02/2019 06:22, John Jiang wrote:
> Is it possible to check if peer implements middlebox compatibility by
> s_server/s_client?
> It looks the test tools don't care this point.
> For example, if a server doesn't send change_cipher_spec after
> HelloRetryRequest, s_client still feels fine.That's not bad. But can I setup
> these tools to check middlebox compatibility?

By default s_server/s_client will have middlebox compatibility on. You can turn
it off using the option "-no_middlebox". There is no option to directly tell you
if an endpoint is using middlebox compatibility mode or not. You could figure it
out indirectly by using the "-debug" option. This shows you the raw data that is
being sent/received by the endpoints. Assuming TLSv1.3 has been negotiated then
a remote peer is using middlebox compatibility if you see a sequence like this
during the handshake:

read from 0x557afedffb60 [0x557afee057d3] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01                                    .....
read from 0x557afedffb60 [0x557afee057d8] (1 bytes => 1 (0x1))
0000 - 01


More information about the openssl-users mailing list