Skip to content

Include OpenSSL 3.5.0 in list of tested SULs #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Include OpenSSL 3.5.0 in list of tested SULs #182

wants to merge 7 commits into from

Conversation

@kostis
Copy link
Contributor

@kostis kostis commented Apr 22, 2025
edited
Loading

In preparation for testing DTLS 1.3 on OpenSSL, we add support for the latest release of OpenSSL (3.5.0) and include its server in the list of tested systems of the CI.

However, something does not seem right in the hypotheses that we learn. Perhaps @pfg666 should look into this.

There is also a related open issue (#24) showing that the current support for OpenSSL 3.x.x. is not OK.

@c-southwest
Copy link
Collaborator

c-southwest commented May 6, 2025

@kostis @pfg666
I tested other learning configurations with OpenSSL 3.5.0 DTLS 1.2 and they can complete the handshake. Have you already tested these configurations?

I found learn_openssl_server_all_cert_req is similar to learn_openssl_server_all_cert_none, the only difference I can see is:
In learn_openssl_server_all_cert_req, when start openssl s_server there is one extra parameter -Verify 1

I use command ./suts/openssl-3.5.0/apps/openssl s_server -h to check the help and I find the following text:

 -verify int                Turn on peer certificate verification
 -Verify int                Turn on peer certificate verification, must have a cert

openssl-3.5.0_server_all_cert_req

Argument: args/openssl/learn_openssl_server_all_cert_req -Dopenssl.version=3.5.0
Trimed Model:
openssl-3.5.0_server_all_cert_req_hyp11_nicer.pdf

openssl-3.5.0_server_psk

Argument: args/openssl/learn_openssl_server_psk -Dopenssl.version=3.5.0
Trimed Model:
openssl-3.5.0_server_psk_hyp8_nicer.pdf

@c-southwest c-southwest mentioned this pull request May 6, 2025
Closed
@kostis
Copy link
Contributor Author

kostis commented May 8, 2025

The patch to OpenSSL's code fixed some issue with non-determinism when learning OpenSSL servers, so some progress has been achieved.

Regarding learning clients, I've extended the CI with a test for an OpenSSL 3.5.0 client configuration, but the hypotheses we learn, not only for this particular configuration but also in other ones, are obviously not correct (we learn models with only one state and/or some Alert(FATAL,HANDSHAKE_FAILURE) outputs). We should investigate this.

@pfg666 @c-southwest : Help is needed.

@kostis kostis changed the title Include OpenSSL 3.5.0 in list of tested SULs and test its server Include OpenSSL 3.5.0 in list of tested SULs May 8, 2025
@c-southwest
Copy link
Collaborator

c-southwest commented May 8, 2025

@kostis @pfg666 I fixed the problem by adding the -legacy_renegotiation flag to the command that launches OpenSSL 3.5.0 Client to manually enable legacy renegotiation.

Using command ./suts/openssl-3.5.0/apps/openssl s_client -h we can see the relevant options:

-legacy_renegotiation      Enable use of legacy renegotiation (dangerous)
-legacy_server_connect     Allow initial connection to servers that don't support RI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kostis @c-southwest