Various tools for testing RFC 5077
C Python HTML JavaScript Makefile
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
http-parser @ 1b79aba Update http-parser submodule to latest version Sep 29, 2017
httpagentparser @ 920af88 Collect user agent statistics as well. Sep 15, 2011
js Check session resume with both cache and tickets Oct 3, 2015
.gitignore git: ignore pcap/ and csv/ directories Nov 12, 2017
.gitmodules repository of http-parser changed location Sep 26, 2012
.travis.yml travis: switch to sudo-less mode Sep 29, 2017
Makefile Make it more explicit OpenSSL 1.1 is needed Mar 18, 2017
README.md Make it more explicit OpenSSL 1.1 is needed Mar 18, 2017
common-client.c add client certificate authentication to gnutls-client and openssl-cl… Sep 28, 2012
common.c bigger buffers for session tickets associated with client certificates Sep 28, 2012
common.h add client certificate authentication to gnutls-client and openssl-cl… Sep 28, 2012
gnutls-client.c Fix warning GnuTLS client Sep 29, 2017
nss-client.c fix multiple reconnects that was broken after adding the delay option… Sep 28, 2012
openssl-client.c Compatibility with OpenSSL 1.1 Nov 22, 2016
rfc5077-client.c Widen "cipher" column Nov 22, 2016
rfc5077-pcap.c Test for return values of functions allocating memory. Sep 14, 2011
rfc5077-server.c Compatibility with OpenSSL 1.1 Nov 22, 2016
rfc5077-server.html Check session resume with both cache and tickets Oct 3, 2015
rfc5077-stats.py Stats: we display "SSL" versions, not TLS Sep 16, 2011
ssl-handshake.svg Add an illustration of SSL handshake. Sep 23, 2011

README.md

Various tools for testing RFC 5077

RFC 5077 is a session resumption mechanism for TLS without server-side state. You'll find here various tools related to testing availability of RFC 5077.

This mechanism is an extension for TLS. If a client or a server does not support TLS, it does not support RFC 5077.

Clients

The following clients are implemented:

  • openssl-client
  • gnutls-client
  • nss-client

They all take an host and a port as argument. You need to use -r flag to really test reconnection. You can also add -T to disable ticket supports (RFC 5077) and -S to disable session ID support. However, disabling session ID may be difficult, therefore, it may not really have the expected effect.

Only OpenSSL client is complete enough. GNU TLS does not allow easy display of session contents and NSS does not allow to check if a session was resumed.

Additionally, rfc5077-client proposes some more advanced tests against a server or a pool of servers. It will try to reuse sessions with and without tickets and will query several time each IP of a pool of servers. Use this if you want to check support of SSL session resume of a server or a pool of servers.

It is possible that those clients may fail if you don't have a working IPv6 connectivity. Get an IPv6 connectivity. ;-)

Servers

rfc5077-server allows you to test support of RFC 5077 in the client of your choice. It will returns an HTML page containing some Javascript code to test browsers. You need to specify 4 ports. They will respectively behave as follow:

  1. No session cache, no ticket support
  2. Session cache, no ticket support
  3. Session cache, ticket support
  4. No session cache, ticket support

While this server has some shortcoming, it should be relatively performant and you can try to bench it. It should also be secure enough to be put on the Internet.

Misc

rfc5077-pcap will analyze SSL handshakes contained in PCAP files. It will try to detect "Client Hello". It will extract IP addesses, protocol version, Session ID, cipher suites, compression methods and detect the use of SNI extension and ticket extension. It should be used to determine how many clients support one cipher suite or how many clients support ticket extension.

The CSV file generated by this program can then be used with rfc5077-stats.py that will produce some graphics (and also build a SQLite database that you can use to make queries).

Getting Started

If you've just cloned this from git, run the following to ensure that the submodules http-parser and httpagentparser are installed:

  • git submodule init
  • git submodule update

Then run make to build the executables. This currently needs OpenSSL 1.1. If you have an older version, go back to commit 3c37c33b46e0:

  • git checkout 3c37c33b46e0

Dependencies

To compile these you will need a few dependancies that are the nss, openssl, gnutls, libpcap, libev and nspr headers and libraries:

On Fedora the dependencies are:

  • openssl-devel
  • gnutls-devel
  • nss-devel
  • libpcap-devel
  • libev-devel
  • nspr-devel
  • pkgconfig