-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS compatibility for test cases #563
Labels
complex
Issues that require good knowledge of tlsfuzzer internals
enhancement
new feature to be implemented
help wanted
Comments
tomato42
added
enhancement
new feature to be implemented
help wanted
complex
Issues that require good knowledge of tlsfuzzer internals
labels
Aug 15, 2019
10 tasks
This was referenced Aug 21, 2019
10 tasks
This was referenced Aug 29, 2019
Merged
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 4, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
10 tasks
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 4, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
10 tasks
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 5, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 6, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 6, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
t184256
added a commit
to t184256/tlsfuzzer
that referenced
this issue
Sep 6, 2019
Add an option to negotiate (EC)DHE instead of RSA key exchange for scripts/test-extended-master-secret-extension*.py See the tlsfuzzer#563 (umbrella bug) for the context.
10 tasks
This was referenced May 10, 2022
10 tasks
10 tasks
10 tasks
This was referenced Aug 21, 2024
Merged
Merged
10 tasks
This was referenced Sep 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
complex
Issues that require good knowledge of tlsfuzzer internals
enhancement
new feature to be implemented
help wanted
Bug Report
Problem description
Many TLS 1.2 test cases depend on the server having support for kRSA ciphers, in particular, the
TLS_RSA_WITH_AES_128_CBC_SHA
ciphersuite. In new FIPS requirements, only DHE and ECDHE key exchange is supported. That means not only the client may need to advertise a curve for interoperability (P-256, P-384 or P-521 in this case), but it also requires the support for SHA-256 to be advertised (as support for SHA-1 is also disallowed in FIPS mode).Some of the new (as of 2022) libraries also don't enable CBC ciphers, even though FIPS still allows them.
Expected behaviour
The problem is, that adding two extensions to the ClientHello does change the test cases quite significantly (and also requires expecting the ServerKeyExchange message). So it would be better to provide it as an option rather than to switch all test cases to this new approach.
The test cases that were modified use the
-d
option to do that. For consistency others should do the same.It would also be good to have the
-C
option to set used ciphersuite more universally supported.The text was updated successfully, but these errors were encountered: