OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLSv1.3 supprt for 2.4.x?


On Wed, Sep 12, 2018 at 3:17 PM Joe Orton <jorton@xxxxxxxxxx> wrote:
>
> On Tue, Sep 11, 2018 at 03:39:42PM +0200, Yann Ylavic wrote:
> > On Tue, Sep 11, 2018 at 12:13 PM Joe Orton <jorton@xxxxxxxxxx> wrote:
> > >
> > > Does anybody have successful test results with post-handshake auth?  I'm
> > > testing against Fedora's OpenSSL 1.1.1pre9 which has merged the changes
> > > for https://github.com/openssl/openssl/issues/6933
> >
> > Just tried trunk+openssl-1.1.1pre9 (SSLProtocol TLSv1.3 and
> > SSLVerifyClient require), with both firefox and s_client (w/ and w/o
> > -enable_pha) and can't reproduce the hang.
> >
> > What's your client tooling?
>
> Have you tried the test suite with trunk+pre9?  I haven't had time to
> test this directly, but with Fedora 29's pre9 + tls1.3-2.4.x branch I am
> down to:
>
> $ ./t/TEST t/ssl/
> ...
> Failed 5/14 test programs. 12/331 subtests failed.

With patch [1] (SSL_CTX_clear_mode for AUTO_RETRY) and your latest
framework changes, the only errors remaining are:

t/modules/http2.t ................... Failed 28/52 subtests
("Parse errors: Bad plan.  You planned 52 tests but ran 24", tests
skipped because of TLS-1.3??).

t/ssl/proxy.t ...... 3/? # Failed test 3 in t/ssl/proxy.t at line 63
# Failed test 5 in t/ssl/proxy.t at line 75
# Failed test 6 in t/ssl/proxy.t at line 89
# Failed test 7 in t/ssl/proxy.t at line 95
t/ssl/proxy.t ...... 113/? # Failed test 116 in t/ssl/proxy.t at line 63 fail #2
# Failed test 118 in t/ssl/proxy.t at line 75 fail #2
# Failed test 119 in t/ssl/proxy.t at line 89 fail #2
# Failed test 120 in t/ssl/proxy.t at line 95 fail #2
t/ssl/proxy.t ...... Failed 8/172 subtests
(didn't look at the details)

For the ssl/proxy ones, I tried with patch [2]
(SSL_CTX_set_post_handshake_auth):
t/ssl/proxy.t ...... 1/? # Failed test 4 in t/ssl/proxy.t at line 69
t/ssl/proxy.t ...... 108/? # Failed test 117 in t/ssl/proxy.t at line 69 fail #2
t/ssl/proxy.t ...... Failed 2/172 subtests
(better but not really that yet. Anyway I don't really understand why
we'd do that, and how it helps Perl, given that it's supposed to be
opt-in for compatibility, and AFAICT ssl/proxy tests don't use
TLS-1.3...)

>
> 1. disable AUTO_RETRY to fix PHA
> https://github.com/openssl/openssl/issues/7178#issuecomment-420300988
>
> 2. too much code has been moved out of ssl_hook_Access(), the
> FakeBasicAuth code & requires checking needs to come back
>
> 3. perl client side updates needed in IO::Socket:SSL and Net::SSLeay to
> re-enable PHA because of https://github.com/openssl/openssl/issues/6933
>
> I will commit (1) and (2) today/tomorrow. I think (3) is, um, bizarre,
> but I'm not sure whether it is simpler to fight OpenSSL API design
> decisions or change every SSL client in the world to cope with them,
> probably the latter.

I can't grok that change needed on the client-side either :/

Regards,
Yann.

[1]:
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c    (revision 1840709)
+++ modules/ssl/ssl_engine_init.c    (working copy)
@@ -786,6 +786,10 @@ static apr_status_t ssl_init_ctx_protocol(server_r
         SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif

+#ifdef SSL_MODE_AUTO_RETRY
+    SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
+#endif
+
     return APR_SUCCESS;
 }
--

[2]:
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c    (revision 1840709)
+++ modules/ssl/ssl_engine_init.c    (working copy)
@@ -1553,6 +1557,11 @@ static apr_status_t ssl_init_proxy_certs(server_re

     SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
                                ssl_callback_proxy_cert);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+    if (/*mctx->enable_pha*/1) {
+        SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1);
+    }
+#endif

     if (!(pkp->cert_file || pkp->cert_path)) {
         return APR_SUCCESS;
--