-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post handshake auth #551
Post handshake auth #551
Conversation
This pull request introduces 1 alert when merging ec6d045 into 79936b8 - view on LGTM.com new alerts:
Comment posted by LGTM.com |
ec6d045
to
97c092c
Compare
This pull request introduces 1 alert when merging 97c092c into 79936b8 - view on LGTM.com new alerts:
Comment posted by LGTM.com |
This pull request introduces 1 alert when merging c3924a1 into 79936b8 - view on LGTM.com new alerts:
Comment posted by LGTM.com |
c3924a1
to
52a4207
Compare
3925cf6
to
6a76be8
Compare
f930435
to
ba6c85a
Compare
ba6c85a
to
d132f91
Compare
4e0e1e8
to
91afc54
Compare
expect the connection to fail if the server is configured with not only requesting but also requiring client to provide certificates in post-handshake-authentication
since the conversation can be reused (as is the case in "sanity" tests), the context sometimes needs to be cleared (as otherwise we would sign messages from previous handshake)
91afc54
to
2ff9774
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you document somewhere the options I should use to be able to test openssl server PHA using the added expect script?
Reviewed 5 of 8 files at r1, 4 of 4 files at r4, 3 of 3 files at r5, 1 of 1 files at r6, 3 of 3 files at r7, 3 of 3 files at r8, 1 of 1 files at r9, 1 of 1 files at r10, 2 of 2 files at r11, 1 of 1 files at r12, 1 of 1 files at r13, 3 of 3 files at r14.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @codeclimate[bot])
2ff9774
to
889cfc5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't add it as it doesn't require any special options, just the key and certificates are needed for openssl
Reviewable status: 10 of 11 files reviewed, 1 unresolved discussion (waiting on @ansasaki and @codeclimate[bot])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, but what options should I use to run the test-tls13-post-handshake-auth.py
script? I'm asking because I couldn't make the tests to pass against openssl. Using --pha-as-reply
I get 4 tests passing and 2 failing. Is this expected?
Reviewed 1 of 1 files at r15.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @codeclimate[bot])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you specify also -k
and -c
options? --pha-as-reply
should be the only thing needed:
$ PYTHONPATH=. python scripts/test-tls13-post-handshake-auth.py -k /tmp/client/key.pem -c /tmp/client/cert.pem --pha-as-reply
sanity ...
OK
post-handshake authentication with no client cert ...
OK
post-handshake authentication with KeyUpdate ...
OK
malformed signature in PHA ...
OK
post-handshake authentication ...
OK
sanity ...
OK
Basic post-handshake authentication test case
Check if server will accept PHA, check if server rejects invalid
signatures on PHA CertificateVerify, etc.
version: 1
Test end
successful: 6
failed: 0
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @codeclimate[bot])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, after using a client certificate trusted by the server, it worked fine.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @codeclimate[bot])
Description
Implement support and add simple test case for post_handshake_auth extension
Motivation and Context
depends on: tlsfuzzer/tlslite-ng#350, #543, tlsfuzzer/tlslite-ng#379, tlsfuzzer/tlslite-ng#380 and #501
fixes #296
filed #622 to handle the one remaining issue from codeclimate
Checklist
tlslite-ng.json
andtlslite-ng-random-subset.json
This change is![Reviewable](https://camo.githubusercontent.com/23b05f5fb48215c989e92cc44cf6512512d083132bd3daf689867c8d9d386888/68747470733a2f2f72657669657761626c652e696f2f7265766965775f627574746f6e2e737667)