mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-02-07 15:40:27 +00:00
Merge pull request #6482 from ronald-cron-arm/tls13-misc
TLS 1.3: Update documentation for the coming release and misc
This commit is contained in:
Ronald Cron
GitHub
commit
04e2133f45
9
ChangeLog.d/tls13-misc.txt
Normal file
9
ChangeLog.d/tls13-misc.txt
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
Features
|
||||||
|
* Mbed TLS supports TLS 1.3 key establishment via pre-shared keys,
|
||||||
|
pre-shared keys provisioned externally or via the ticket mechanism
|
||||||
|
(session resumption).
|
||||||
|
The MBEDTLS_SSL_SESSION_TICKETS configuration option controls the support
|
||||||
|
for the ticket mechanism.
|
||||||
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED configuration options
|
||||||
|
have been introduced to control the support for the three possible
|
||||||
|
TLS 1.3 key exchange modes.
|
||||||
@ -28,9 +28,12 @@ Support description
|
|||||||
|
|
||||||
- Mbed TLS does not support DHE key establishment.
|
- Mbed TLS does not support DHE key establishment.
|
||||||
|
|
||||||
- Mbed TLS does not support pre-shared keys, including any form of
|
- Mbed TLS supports pre-shared keys for key establishment, pre-shared keys
|
||||||
session resumption. This implies that it does not support sending early
|
provisioned externally as well as provisioned via the ticket mechanism.
|
||||||
data (0-RTT data).
|
|
||||||
|
- Mbed TLS supports session resumption via the ticket mechanism.
|
||||||
|
|
||||||
|
- Mbed TLS does not support sending or receiving early data (0-RTT data).
|
||||||
|
|
||||||
- Supported cipher suites: depends on the library configuration. Potentially
|
- Supported cipher suites: depends on the library configuration. Potentially
|
||||||
all of them:
|
all of them:
|
||||||
@ -54,8 +57,8 @@ Support description
|
|||||||
| server_certificate_type | no |
|
| server_certificate_type | no |
|
||||||
| padding | no |
|
| padding | no |
|
||||||
| key_share | YES |
|
| key_share | YES |
|
||||||
| pre_shared_key | no |
|
| pre_shared_key | YES |
|
||||||
| psk_key_exchange_modes | no |
|
| psk_key_exchange_modes | YES |
|
||||||
| early_data | no |
|
| early_data | no |
|
||||||
| cookie | no |
|
| cookie | no |
|
||||||
| supported_versions | YES |
|
| supported_versions | YES |
|
||||||
@ -118,7 +121,7 @@ Support description
|
|||||||
| MBEDTLS_SSL_RENEGOTIATION | n/a |
|
| MBEDTLS_SSL_RENEGOTIATION | n/a |
|
||||||
| MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no |
|
| MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no |
|
||||||
| | |
|
| | |
|
||||||
| MBEDTLS_SSL_SESSION_TICKETS | no |
|
| MBEDTLS_SSL_SESSION_TICKETS | yes |
|
||||||
| MBEDTLS_SSL_SERVER_NAME_INDICATION | yes |
|
| MBEDTLS_SSL_SERVER_NAME_INDICATION | yes |
|
||||||
| MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no |
|
| MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no |
|
||||||
| | |
|
| | |
|
||||||
@ -175,8 +178,7 @@ Prototype upstreaming status
|
|||||||
|
|
||||||
The following parts of the TLS 1.3 prototype remain to be upstreamed:
|
The following parts of the TLS 1.3 prototype remain to be upstreamed:
|
||||||
|
|
||||||
- Pre-shared keys, session resumption and 0-RTT data (both client and server
|
- Sending (client) and receiving (server) early data (0-RTT data).
|
||||||
side).
|
|
||||||
|
|
||||||
- New TLS Message Processing Stack (MPS)
|
- New TLS Message Processing Stack (MPS)
|
||||||
|
|
||||||
|
|||||||
@ -648,14 +648,6 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
|
|||||||
*/
|
*/
|
||||||
p += 5;
|
p += 5;
|
||||||
|
|
||||||
if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
|
|
||||||
{
|
|
||||||
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
|
|
||||||
ke_modes_len++;
|
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
|
if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
|
||||||
{
|
{
|
||||||
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
|
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
|
||||||
@ -664,6 +656,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
|
||||||
|
{
|
||||||
|
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
|
||||||
|
ke_modes_len++;
|
||||||
|
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
|
||||||
|
}
|
||||||
|
|
||||||
/* Now write the extension and ke_modes length */
|
/* Now write the extension and ke_modes length */
|
||||||
MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
|
MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
|
||||||
buf[4] = ke_modes_len;
|
buf[4] = ke_modes_len;
|
||||||
|
|||||||
@ -2431,7 +2431,10 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
|
|||||||
authmode = ssl->conf->authmode;
|
authmode = ssl->conf->authmode;
|
||||||
|
|
||||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||||
|
{
|
||||||
|
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
||||||
return( SSL_CERTIFICATE_REQUEST_SKIP );
|
return( SSL_CERTIFICATE_REQUEST_SKIP );
|
||||||
|
}
|
||||||
|
|
||||||
ssl->handshake->certificate_request_sent = 1;
|
ssl->handshake->certificate_request_sent = 1;
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -3161,7 +3161,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk/all, good" \
|
run_test "TLS 1.3: m->G: psk/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3181,7 +3181,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk/ephemeral_all, fail - no common kex mode" \
|
run_test "TLS 1.3: m->G: psk/ephemeral_all, fail - no common kex mode" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
|
||||||
1 \
|
1 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3202,7 +3202,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk_all/all, good" \
|
run_test "TLS 1.3: m->G: psk_all/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3212,7 +3212,7 @@ run_test "TLS 1.3: m->G: psk_all/all, good" \
|
|||||||
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
||||||
-s "Parsing extension 'Pre Shared Key/41'" \
|
-s "Parsing extension 'Pre Shared Key/41'" \
|
||||||
-c "<= write client hello" \
|
-c "<= write client hello" \
|
||||||
-c "Selected key exchange mode: psk$" \
|
-c "Selected key exchange mode: psk_ephemeral" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
@ -3222,10 +3222,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk_all/ephemeral_all, fail - no fallback" \
|
run_test "TLS 1.3: m->G: psk_all/ephemeral_all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
|
||||||
1 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
|
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
|
||||||
-c "client hello, adding psk_key_exchange_modes extension" \
|
-c "client hello, adding psk_key_exchange_modes extension" \
|
||||||
@ -3233,7 +3233,8 @@ run_test "TLS 1.3: m->G: psk_all/ephemeral_all, fail - no fallback" \
|
|||||||
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
||||||
-s "Parsing extension 'Pre Shared Key/41'" \
|
-s "Parsing extension 'Pre Shared Key/41'" \
|
||||||
-c "<= write client hello" \
|
-c "<= write client hello" \
|
||||||
-c "Last error was: -0x7780 - SSL - A fatal alert message was received from our peer"
|
-c "Selected key exchange mode: psk_ephemeral" \
|
||||||
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
#GNUTLS-SERVER psk_ephemeral mode
|
#GNUTLS-SERVER psk_ephemeral mode
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
@ -3243,7 +3244,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk_ephemeral/all, good" \
|
run_test "TLS 1.3: m->G: psk_ephemeral/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3263,7 +3264,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \
|
run_test "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3284,7 +3285,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: ephemeral/all, good" \
|
run_test "TLS 1.3: m->G: ephemeral/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
|
||||||
0 \
|
0 \
|
||||||
-c "Selected key exchange mode: ephemeral" \
|
-c "Selected key exchange mode: ephemeral" \
|
||||||
@ -3297,7 +3298,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \
|
run_test "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
|
||||||
0 \
|
0 \
|
||||||
-c "Selected key exchange mode: ephemeral" \
|
-c "Selected key exchange mode: ephemeral" \
|
||||||
@ -3312,7 +3313,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: ephemeral_all/all, good" \
|
run_test "TLS 1.3: m->G: ephemeral_all/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3333,7 +3334,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
|
|||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
|
run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3356,7 +3357,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: all/all, good" \
|
run_test "TLS 1.3: m->G: all/all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3366,7 +3367,7 @@ run_test "TLS 1.3: m->G: all/all, good" \
|
|||||||
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
||||||
-s "Parsing extension 'Pre Shared Key/41'" \
|
-s "Parsing extension 'Pre Shared Key/41'" \
|
||||||
-c "<= write client hello" \
|
-c "<= write client hello" \
|
||||||
-c "Selected key exchange mode: psk$" \
|
-c "Selected key exchange mode: psk_ephemeral" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
@ -3378,7 +3379,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: m->G: all/ephemeral_all, good" \
|
run_test "TLS 1.3: m->G: all/ephemeral_all, good" \
|
||||||
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+CIPHER-ALL --pskpasswd=data_files/simplepass.psk" \
|
"$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
|
||||||
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
|
"$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
|
||||||
0 \
|
0 \
|
||||||
-c "=> write client hello" \
|
-c "=> write client hello" \
|
||||||
@ -3388,5 +3389,5 @@ run_test "TLS 1.3: m->G: all/ephemeral_all, good" \
|
|||||||
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
-s "Parsing extension 'PSK Key Exchange Modes/45'" \
|
||||||
-s "Parsing extension 'Pre Shared Key/41'" \
|
-s "Parsing extension 'Pre Shared Key/41'" \
|
||||||
-c "<= write client hello" \
|
-c "<= write client hello" \
|
||||||
-c "Selected key exchange mode: ephemeral" \
|
-c "Selected key exchange mode: psk_ephemeral" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|||||||
@ -398,7 +398,7 @@ class MbedTLSServ(MbedTLSBase):
|
|||||||
named_group=named_group,
|
named_group=named_group,
|
||||||
iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
|
iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
|
||||||
|
|
||||||
check_strings.append("Verifying peer X.509 certificate... ok")
|
check_strings.append("Certificate verification was skipped")
|
||||||
return ['-s "{}"'.format(i) for i in check_strings]
|
return ['-s "{}"'.format(i) for i in check_strings]
|
||||||
|
|
||||||
def pre_cmd(self):
|
def pre_cmd(self):
|
||||||
|
|||||||
@ -12882,7 +12882,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
|
|||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||||
run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \
|
run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \
|
||||||
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --disable-client-cert" \
|
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
|
||||||
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
"$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
|
||||||
0 \
|
0 \
|
||||||
-c "Protocol is TLSv1.3" \
|
-c "Protocol is TLSv1.3" \
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user