Conversation
This should be sent in the ServerHello if a EC based ciphersuite is negotiated. The relevant flag to do this was missed off in the recent extensions refactor. Fixes GitHub Issue openssl#2133
util/TLSProxy/Message.pm
Outdated
There was a problem hiding this comment.
should this match the name in ssl.h?
There was a problem hiding this comment.
None of the other constants in this file match the equivalents in the C. To me this is a fairly intuitive name (it more or less matches the OpenSSL "string" name of the ciphersuite (except "_" not "-" and a "CIPHER_" prefix)).
util/TLSProxy/Proxy.pm
Outdated
There was a problem hiding this comment.
class or self? is this line needed?
There was a problem hiding this comment.
class. $ciphersuite is a class variable (i.e. a module global variable), not an instance variable. It's the same as is_tls13 about 10 lines up.
test/recipes/70-test_sslmessages.t
Outdated
There was a problem hiding this comment.
You should wrap this with a diabled("ec") check...
There was a problem hiding this comment.
In #2154 I disable the whole test for no-ec. I think its better than adding lots of complexity to the test to deal with this option.
There was a problem hiding this comment.
It's not a whole lot of complexity, here's how you do it:
(disabled("ec") ? () :
[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
checkhandshake::EC_HANDSHAKE]),There was a problem hiding this comment.
On, reflection I think you are right, and your suggested approach is easier than I thought. I have done the above and also moved the commits from #2154 into this one as they are too closely related to deal with them separately.
test/recipes/70-test_sslmessages.t
Outdated
There was a problem hiding this comment.
This isn't actually necessary because we skip the test that uses this information anyway.
test/recipes/70-test_sslmessages.t
Outdated
There was a problem hiding this comment.
Wrap this with:
SKIP: {
skip "No EC support in this OpenSSL build", 1 if disabled("ec");
# original code here
}
|
FYI, the |
Yeah, I know. I'm working on it. |
…pect The previous commit fixed a bug where the EC point formats extensions did not appear in the ServerHello. This should have been caught by 70-test_sslmessages but that test never tries an EC ciphersuite. This updates the test to do that.
Previously we were omitting the extension information from ext_defs if the association no- option was defined. This doesn't work because the indexes into the table are no longer valid.
The CT tests in test_sslmessages require EC to be available, therefore we must skip these if no-ec
mattcaswell
force-pushed
the
fix-ec-point-formats
branch
from
dd15a5a to
d48ceb3
Compare
|
Fixed issues above. New commits added taken from #2154. Also added a new commit to deal with a hang in test_sslmessages when using no-ec. This is because the ct tests in that file require ec to be available, so I just disabled those in the event of no-ec. |
| (disabled("ec") ? () : | ||
| [TLSProxy::Message::MT_CLIENT_HELLO, | ||
| TLSProxy::Message::EXT_EC_POINT_FORMATS, | ||
| checkhandshake::DEFAULT_EXTENSIONS]), |
There was a problem hiding this comment.
Side comment: that can be written like this as well:
(disabled("ec") ? () :
([TLSProxy::Message::MT_CLIENT_HELLO,
TLSProxy::Message::EXT_SUPPORTED_GROUPS,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_CLIENT_HELLO,
TLSProxy::Message::EXT_EC_POINT_FORMATS,
checkhandshake::DEFAULT_EXTENSIONS])),This is because lists of this kind are flattened in Perl. Also, I'm not 100% sure the outer parens are strictly needed.
But, this is a preference and your choice to make.
There was a problem hiding this comment.
Actually, I did think about doing it that way, but made a deliberate decision not to. Either way is valid, but supported_groups may include non ec groups in the not too distant future if we implement support for DHE groups, so I decided to have separate expressions for them.
| SKIP: { | ||
| skip "No EC support in this OpenSSL build", 1 if disabled("ec"); | ||
| $proxy->clear(); | ||
| $proxy->clientflags("-no_tls1_3"); |
There was a problem hiding this comment.
Is that flag strictly necessary? I would prefer if it's avoided as much as possible. My experience with sslvertol has shown that it's not as necessary as it was once...
There was a problem hiding this comment.
Yes, it is very much necessary. Without it TLSv1.3 would be negotiated and then the connection would fail due to a "no shared cipher". WRT sslvertol, I think you have a misunderstanding and I will comment on the relevant PR.
This should be sent in the ServerHello if a EC based ciphersuite is negotiated. The relevant flag to do this was missed off in the recent extensions refactor. Fixes GitHub Issue #2133 Reviewed-by: Richard Levitte <[email protected]> (Merged from #2153)
…pect The previous commit fixed a bug where the EC point formats extensions did not appear in the ServerHello. This should have been caught by 70-test_sslmessages but that test never tries an EC ciphersuite. This updates the test to do that. Reviewed-by: Richard Levitte <[email protected]> (Merged from #2153)
Previously we were omitting the extension information from ext_defs if the association no- option was defined. This doesn't work because the indexes into the table are no longer valid. Reviewed-by: Richard Levitte <[email protected]> (Merged from #2153)
Reviewed-by: Richard Levitte <[email protected]> (Merged from #2153)
The CT tests in test_sslmessages require EC to be available, therefore we must skip these if no-ec Reviewed-by: Richard Levitte <[email protected]> (Merged from #2153)
|
Pushed. Thanks. |
4 participants
Checklist
Description of change
Fix the EC point formats extension. This should be sent in the ServerHello if an EC based ciphersuite is
negotiated (<= TLS1.2). The relevant flag to do this was missed off in the recent extensions refactor. This bug should have been caught by
70-test_sslmessagesbut that test never tries an EC ciphersuite, so we also update the test to do that.Fixes #2133