New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 #17763
Conversation
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common.
@@ -567,7 +567,7 @@ sub testssl { | |||
|
|||
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), | |||
'test tls1 with PSK via BIO pair'); | |||
} | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The indentation of the SKIP: {
blocks and related closing braces is a bit wonky throughout the file.
A pass could be done to improve the indentation, but I am likely not the right person because I don't fully grasp the convention used for our Perl test recipes.
I can do such a pass in this file if requested, but I would need guidance from @mattcaswell
…EL >= 3 Align option explanations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a CHANGES entry? - at the minimum this then indicates that it was a bug and it is documented when it was fixed
…r SECLEVEL >= 3 Add CHANGES entry: credits to Dmitry Belyavskiy for reporting the issue and proposing the resolution, myself for the final implementation and work on tests.
I pushed a fixup commit with a CHANGES entry. @beldmit @paulidale can you rereview? |
to the list of ciphersuites providing Perfect Forward Secrecy as | ||
required by SECLEVEL >= 3. | ||
|
||
*Dmitry Belyavskiy, Nicola Tuveri* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about the order because you did almost all work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I stand by it: you reported the issue, proposed its resolution to the OTC, and the work we did independently to implement the actual change is virtually identical.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The origin branch on my github fork is reporting failures in the compiler-zoo and windows work flows, but they seem to be due to GitHub timeouts rather than build errors under our control. |
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
@paulidale please reconfirm |
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763)
Merged to
Merged to
Backport to |
Thanks everyone for all the feedback! |
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17763) (cherry picked from commit 66914fc)
This is an alternative to #17759 to fix #17743.
It comprises 3 commits:
SSL_kE(EC)?DH
withSSL_k(EC)?DHE
, as it the latter spelling is more common and familiar to internal and external developers. Each pair is already reported as aliases in our headers:openssl/ssl/ssl_local.h
Lines 165 to 172 in a044af4
SSL_kDHEPSK
andSSL_kECDHEPSK
flags to the PFS check for SECLEVEL >= 3The test commit further revises the test binary to improve the
-help
documentation, syncing it with the actual behavior (e.g., the default is-dhe2048
not-dhe1024
;-tls1_2
is a supported option, but was not documented as such), and also adds support (and documentation) for-tls1_1
and for well-known 4096-bit DH parameters.-dhe4096
is added because 2048-bit parameters fail to meet the requirement for >=128 security bitsChecklist