Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support ECDHE ciphers in TLS 1.2 and below #414

merged 12 commits into from Jun 12, 2020


Copy link

@hannesm hannesm commented Jun 12, 2020

fixes #413 and #362

implementation according to RFC 8422

  • also removes (unused) code for arbitrary ECC (only named curves are supported)
  • also removes (unused) code for non-uncompressed EC values
  • removes ECPointFormat extension support (not needed as stated in 8422) -- in case there are TLS implementations requiring this we can re-add it later (I was not able to find any)

- only named curve type is supported
- only uncompressed ec point format

this follows RFC 8422
instead, do it in the applications
@hannesm hannesm merged commit fafa0f4 into mirleft:master Jun 12, 2020
hannesm added a commit to hannesm/opam-repository that referenced this pull request Jun 12, 2020

in mirleft/ocaml-tls#414 by @hannesm
* Drop support for RC4 ciphersuite
* Raise lower TLS version in default configuration to 1.2
* tls_lwt no longer calls Mirage_crypto_rng_unix.initialize -- this needs to be
  done in the application, inside
  `Mirage_crypto_rng_lwt.initialize () >>= fun () ->`
* Support ECDHE ciphersuites in TLS 1.2 and below as specified in RFC 8422
  (requested in mirleft/ocaml-tls#413 by @ryanakca, also in mirleft/ocaml-tls#362 by @orbitz @annubiz)
* drop "TLS_" prefix from ciphersuite constructors
* BUGFIX: TLS client (<= 1.2) assembling an empty Certificate message
  (noticed in mirleft/ocaml-tls#413, present since 0.12.0 release)
* Cleanup Packet.any_ciphersuite list (remove ARIA, CAMELLIA, KRB5, EXPORT)
* Adapt interoperability test scripts with TLS 1.3 support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

Fails with UNEXPECTED_MESSAGE or HANDSHAKE_FAILURE where openssl succeeds
1 participant