Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl-opt.sh: make openssl and gnutls more permissive #10033

Open
gilles-peskine-arm opened this issue Mar 4, 2025 · 0 comments
Open

ssl-opt.sh: make openssl and gnutls more permissive #10033

gilles-peskine-arm opened this issue Mar 4, 2025 · 0 comments
Labels
component-tls enhancement size-s Estimated task size: small (~2d)

Comments

@gilles-peskine-arm
Copy link
Contributor

The OpenSSL and GnuTLS command line TLS utilities (openssl s_client, openssl s_server, gnutls-cli, gnutls-serv) reject some unusual or deprecated cipher suites by default. In compat.sh, we pass command line options to enable more things. In ssl-opt.sh, we currently don't. This can lead to surprising failures when adding new tests.

A non-exhaustive list:

  • To allow all TLS ≤1.2 cipher suites with OpenSSL <1.1.1, pass -cipher ALL:COMPLEMENTOFALL. To allow all cipher suites with OpenSSL ≤1.1.1, pass -cipher ALL@SECLEVEL=0:COMPLEMENTOFALL@SECLEVEL=0. By default, OpenSSL doesn't accept CCM (which affects config-ccm-psk-tls1_2.h and config-ccm-psk-dtls1_2.h) or null cipher suites.
  • To allow pure PSK in TLS 1.3 with OpenSSL, pass -allow_no_dhe_kex. This affects component_test_tls13_only_psk. Note that in PSK-only configurations, ssl-opt.sh attempts to run test cases that don't require certificates, and injects -psk into the command lines; however, at the time of writing, this is partly broken due to Skipped test cases in ssl-opt.sh in TLS 1.3-only configurations #9560.
  • To allow more things with GnuTLS, pass a suitable --priority option. See the manual and compat.sh.

Definition of done for this issue: the default invocations of $O_CLI, $O_SRV, $G_CLI, $G_SRV and their variants (NEXT, LEGACY, whatever else we may add) in ssl-opt.sh are permissive, so that there are fewer surprises when adding a new test case. Or, alternatively (but it's probably too complicated), run_test injects extra arguments based on what's being tested.

Note that making the invocations more permissive can break some of our tests. Some known issues:

  • More cipher suites means a larger ClientHello which can affect configurations with a small buffer size, and defragmentation tests (we don't support ClientHello defragmentation in TLS 1.2).
  • Some test cases in tls13-kex-modes.sh assume that OpenSSL rejects pure-PSK. See cf7eaf4 and 9e6b997 for a way to fix that that passed the CI (rejected from Generate TLS handshake defragmentation tests #10021 because it was out of scope, and we aren't sure whether that's the best fix).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component-tls enhancement size-s Estimated task size: small (~2d)
Projects
Friction
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gilles-peskine-arm