s_server/s_client on checking middlebox compatibility

John Jiang john.sha.jiang at gmail.com
Wed Feb 27 02:24:38 UTC 2019


I had tried TLS Fuzzer, and it worked for me.
I just wished that OpenSSL can do the similar things.

Thanks!

On Tue, Feb 26, 2019 at 9:56 PM Hubert Kario <hkario at redhat.com> wrote:

> On Tuesday, 26 February 2019 07:22:52 CET John Jiang wrote:
> > Is it possible to check if peer implements middlebox compatibility by
> > s_server/s_client?
> > It looks the test tools don't care this point.
> > For example, if a server doesn't send change_cipher_spec after
> > HelloRetryRequest, s_client still feels fine.That's not bad. But can I
> > setup these tools to check middlebox compatibility?
>
> As Matt said, there's no human-readable output that shows that.
>
> tlsfuzzer does verify if the server sends ChangeCipherSpec and at what
> point in the connection (all scripts expect it right after ServerHello or
> right after HelloRetryRequest depending on connection).
>
> You can use
>
> https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-conversation.py
> https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-hrr.py
> and
>
> https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-session-resumption.py
> respectively to test regular handshake, one with HelloRetryRequest
> and one that performs session resumption.
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190227/e802f161/attachment.html>


More information about the openssl-users mailing list