[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLSv1.3 supprt for 2.4.x?


On Tue, Sep 11, 2018 at 03:39:42PM +0200, Yann Ylavic wrote:
> On Tue, Sep 11, 2018 at 12:13 PM Joe Orton <jorton@xxxxxxxxxx> wrote:
> >
> > Does anybody have successful test results with post-handshake auth?  I'm
> > testing against Fedora's OpenSSL 1.1.1pre9 which has merged the changes
> > for https://github.com/openssl/openssl/issues/6933
> 
> Just tried trunk+openssl-1.1.1pre9 (SSLProtocol TLSv1.3 and
> SSLVerifyClient require), with both firefox and s_client (w/ and w/o
> -enable_pha) and can't reproduce the hang.
> 
> What's your client tooling?

Have you tried the test suite with trunk+pre9?  I haven't had time to 
test this directly, but with Fedora 29's pre9 + tls1.3-2.4.x branch I am 
down to:

$ ./t/TEST t/ssl/
...
Failed 5/14 test programs. 12/331 subtests failed.

needed to get this far:

1. disable AUTO_RETRY to fix PHA
https://github.com/openssl/openssl/issues/7178#issuecomment-420300988

2. too much code has been moved out of ssl_hook_Access(), the 
FakeBasicAuth code & requires checking needs to come back

3. perl client side updates needed in IO::Socket:SSL and Net::SSLeay to 
re-enable PHA because of https://github.com/openssl/openssl/issues/6933

I will commit (1) and (2) today/tomorrow. I think (3) is, um, bizarre, 
but I'm not sure whether it is simpler to fight OpenSSL API design 
decisions or change every SSL client in the world to cope with them, 
probably the latter.