Closed
Bug 1443854
Opened 7 years ago
Closed 6 years ago
Enable more TLS 1.3 tests for BoGo
Categories
(NSS :: Test, enhancement)
NSS
Test
Tracking
(Not tracked)
RESOLVED
FIXED
3.39
People
(Reporter: ttaubert, Assigned: franziskus)
References
Details
Attachments
(1 file)
We currently exclude "*TLS13*". With a draft-23 BoGo (bug 1443799) we should be able to get some more coverage.
Reporter | ||
Comment 1•7 years ago
|
||
There are many tests that fail mostly due to a (IMO) wonky middlebox compat mode implementation in the BoGo code. Per spec [1] the server MUST send a CCS only if the client sends a non-empty SessionID.
The BoGo client doesn't send a SessionID by default, it however always expects a CCS. We only send a CCS when we think that the client opted into the compat mode, as described by the spec.
It seems that we're implementing the spec correctly and BoGo shouldn't expect a CCS, but of course tolerate one if we would send it.
Eric, wdyt?
[1] https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#rfc.appendix.D.4
Flags: needinfo?(ekr)
Comment 2•7 years ago
|
||
Yes, this sounds like a defect in BoGo, or at least an over-strict test.
Flags: needinfo?(ekr) → needinfo?(davidben)
Comment 3•7 years ago
|
||
BoGo is a test suite for BoringSSL and tests the stricter specification for BoringSSL. BoringSSL's specification is "always enable compatibility mode". (I don't like the client-triggered clause in the spec. It's needless complexity.)
Flags: needinfo?(davidben)
Comment 4•7 years ago
|
||
David, would you be willing to take a patch to BoBo to send the session ID?
Flags: needinfo?(davidben)
Comment 5•7 years ago
|
||
Hrm. How about BoGo send the session ID in TLS 1.3 by default, but we'll add one test where BoGo doesn't send one and asserts that the shim server still does compatibility mode? Then you can mask off that one, but the majority of the tests will still check out.
Flags: needinfo?(davidben)
Comment 6•7 years ago
|
||
Fantastic
Comment 7•7 years ago
|
||
How's this work for you all?
https://boringssl-review.googlesource.com/c/boringssl/+/26504
Reporter | ||
Comment 8•7 years ago
|
||
(In reply to David Benjamin from comment #7)
> How's this work for you all?
> https://boringssl-review.googlesource.com/c/boringssl/+/26504
Works great, just tested it locally. Thanks David!
Comment 9•7 years ago
|
||
Sorry about the delay. This should be in BoringSSL master now.
Reporter | ||
Updated•7 years ago
|
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8979462 [details]
Bug 1443854 - Enable more TLS 1.3 tests for BoGo
Martin Thomson [:mt:] has approved the revision.
https://phabricator.services.mozilla.com/D1346
Attachment #8979462 -
Flags: review+
Reporter | ||
Updated•7 years ago
|
Assignee: ttaubert → nobody
Status: ASSIGNED → NEW
Assignee | ||
Comment 12•6 years ago
|
||
Assignee: nobody → franziskuskiefer
Target Milestone: --- → 3.39
Assignee | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•