<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 29/06/21 18:31, david raingeard wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFvDS1RomHYxqO-UWe1v6K9ZBYsY2hch2d5Gj7oZ1kzzt2VO=g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">Ok, here it is. It compiled mostly ok (some fixes
for solaris 2.6, like inttypes.h instead of stdint).
<div>The test suite fails (dubious error).</div>
<div><br>
</div>
<div><b>Tls 1.2 works</b> just fine (<b>openssl s_client
-connect <a href="http://google.com:443"
moz-do-not-send="true">google.com:443</a> -tls1_2 -trace</b>)</div>
<div><br>
</div>
<div>but <b>Tls 1.3 fails</b> starting when the <b>ApplicationData
</b>record is received.</div>
<div><br>
</div>
</div>
</blockquote>
I'd say this is a local build issue; I just unpacked 1.1.1g on my
CentOS 7.9 box, did a<br>
./config no-shared<br>
make<br>
make test<br>
then<br>
./apps/openssl s_client -CAfile /etc/pki/tls/cert.pem -connect
google.com:443 <br>
<br>
and got this:<br>
<br>
./apps/openssl s_client -CAfile /etc/pki/tls/cert.pem -connect
google.com:443 <br>
CONNECTED(00000003)<br>
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1<br>
verify return:1<br>
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3<br>
verify return:1<br>
depth=0 CN = *.google.com<br>
verify return:1<br>
---<br>
Certificate chain<br>
0 s:CN = *.google.com<br>
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3<br>
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3<br>
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1<br>
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1<br>
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
Root CA<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
[...]<br>
-----END CERTIFICATE-----<br>
subject=CN = *.google.com<br>
<br>
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3<br>
<br>
---<br>
No client certificate CA names sent<br>
Peer signing digest: SHA256<br>
Peer signature type: ECDSA<br>
Server Temp Key: X25519, 253 bits<br>
---<br>
SSL handshake has read 6449 bytes and written 392 bytes<br>
Verification: OK<br>
---<br>
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384<br>
Server public key is 256 bit<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
Early data was not sent<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
<br>
So no errors, no warnings and it is using TLS 1.3 to connect.<br>
Check your local environment and especially check that<br>
make test<br>
does not give any errors.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</body>
</html>