osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLSv1.3 supprt for 2.4.x?


As of r1841219 I think the tlsv1.3-for-2.4.x is ready for merging...

A BIG caveat remains around Post-Handshake Auth.  With the current Perl 
stack (including whatever adjustments for OpenSSL 1.1.1 already 
required) the failures I get with the test suite and that branch are 
significant, because PHA is NOT enabled by default client-side and a 
bunch of the tests rely on that.

I don't understand the logic behind disabling PHA by default, and I 
think it's a serious error, but I am not optimistic that the decision 
will be reversed.

So with PHA disabled client side I get:

t/security/CVE-2009-3555.t        (Wstat: 0 Tests: 4 Failed: 2)
  Failed tests:  3-4
t/ssl/basicauth.t                 (Wstat: 0 Tests: 4 Failed: 2)
  Failed tests:  2-3
t/ssl/env.t                       (Wstat: 0 Tests: 30 Failed: 15)
  Failed tests:  16-30
t/ssl/extlookup.t                 (Wstat: 0 Tests: 4 Failed: 4)
  Failed tests:  1-4
t/ssl/fakeauth.t                  (Wstat: 0 Tests: 3 Failed: 2)
  Failed tests:  2-3
t/ssl/ocsp.t                      (Wstat: 0 Tests: 3 Failed: 1)
  Failed test:  3
t/ssl/require.t                   (Wstat: 0 Tests: 10 Failed: 3)
  Failed tests:  2, 5, 9
t/ssl/varlookup.t                 (Wstat: 0 Tests: 83 Failed: 83)
  Failed tests:  1-83
t/ssl/verify.t                    (Wstat: 0 Tests: 3 Failed: 1)
  Failed test:  2

Hacking the Perl stack to enable PHA by default, PoC patches here - 
http://people.apache.org/~jorton/tlsv13-pha-snafu/ - I get:

t/security/CVE-2009-3555.t        (Wstat: 0 Tests: 4 Failed: 2)
  Failed tests:  3-4
t/ssl/ocsp.t                      (Wstat: 0 Tests: 3 Failed: 1)
  Failed test:  3

which I believe are both false +ves.  I'll continue working these 
remaining failures.

Regards, Joe