Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Downgrade protection #308
Downgrade protection #308
Changes from all commits
8483f9b
83260c4
b971f5d
cd6f7ff
94ef92b
2b4f21b
65510f6
7f202d4
5ccec44
1042a7f
1a00c57
e600fcb
d2802e8
75b9c30
68b2ea2
6e8394d
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is tested 100 times with QuickCheck, can we add other downgrade scenarios as well as version combinations with no downgrade?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the test case downgrading from TSL 1.3 to TLS 1.1.
If we can use
arbitraryPairParams
instead ofarbitraryPairParams13
and guess the negotiated version, we can cover downgrade senario (TLS 1.2 -> TLS 1.1). In this case, mixing no downgrade make sense to me.Unfortunately, I have no idea on how to tell the negotiated version. So, this test covers downgrade senarios only.