[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLSv1.3 supprt for 2.4.x?

On Tue, Sep 11, 2018 at 10:42:02AM +0200, Stefan Eissing wrote:
> > Am 10.09.2018 um 10:59 schrieb Joe Orton <jorton@xxxxxxxxxx>:
> > http://svn.apache.org/viewvc?view=revision&revision=1828220
> > - I think this is merged in the branch slightly differently?
> I think this overlaps with a subsequent change of SSL_HAVE_PROTOCOL_TLSV1_3 vs. SSL_OP_NO_TLSv1_3? Feel free to fix this as you think it's best.

Probably just need to mark it merged, ignore this for now.

> > http://svn.apache.org/viewvc?view=revision&revision=1828790
> > http://svn.apache.org/viewvc?view=revision&revision=1828791
> > http://svn.apache.org/viewvc?view=revision&revision=1828792
> > - I think these should be merged too?
> Just done. Thanks!

Thanks a lot.  

Does anybody have successful test results with post-handshake auth?  I'm 
testing against Fedora's OpenSSL 1.1.1pre9 which has merged the changes 
for https://github.com/openssl/openssl/issues/6933

I'm not able to get a successful PHA exchange, even with a client which 
explicitly enables PHA.  It seems like the test suite will be broken 
until the Perl stack is patched to enable PHA somehow, which is a 
massive headache AFAICT.

Without the SSL_peek(ssl, peekbuf, 0) after SSL_do_handshake(), OpenSSL 
is sending the CertificateRequest to the client but doesn't wait to read 
the response.  With the SSL_peek() call I think it successfully 
completes the "handshake" (and gets the cert) but then hangs waiting for 
app_data which is never coming, and eventually times out.  Anybody got 
better results?

Regards, Joe