s_server/s_client on checking middlebox compatibility

Hubert Kario hkario at redhat.com
Tue Feb 26 13:56:45 UTC 2019


On Tuesday, 26 February 2019 07:22:52 CET John Jiang wrote:
> Is it possible to check if peer implements middlebox compatibility by
> s_server/s_client?
> It looks the test tools don't care this point.
> For example, if a server doesn't send change_cipher_spec after
> HelloRetryRequest, s_client still feels fine.That's not bad. But can I
> setup these tools to check middlebox compatibility?

As Matt said, there's no human-readable output that shows that.

tlsfuzzer does verify if the server sends ChangeCipherSpec and at what
point in the connection (all scripts expect it right after ServerHello or
right after HelloRetryRequest depending on connection).

You can use
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-conversation.py
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-hrr.py
and
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-session-resumption.py
respectively to test regular handshake, one with HelloRetryRequest
and one that performs session resumption.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190226/7b4c7d2e/attachment.sig>


More information about the openssl-users mailing list