Add support for testing TLS 1.3

Question

Add support for testing TLS 1.3

tomato42 opened this issue 6 years ago · 11 comments

New version of protocol, new ciphers.

They are not controlled with the -cipher option but rather the -ciphersuites option in OpenSSL, so using OpenSSL 1.1.1 will likely give us wrong results.

Answer 1 · 2018-08-30T12:01:13.000Z

I've been thinking about this quite a bit, and I'm not sure we can get an openssl binary that supports both tls1.3 and sslv2 with all the intermediate patches @PeterMosmans used to maintain.

Is it time to replace openssl and rewrite cipherscan to use tlslite-ng?

Answer 2 · 2018-08-30T12:28:19.000Z

feels like it...
I see two possible obstacles for that - lack of support for ECDSA (tlsfuzzer/tlslite-ng#52) and lack of support for session tickets (tlsfuzzer/tlslite-ng#60) in tlslite-ng

that's assuming that we want to duplicate as much functionality from current script as possible... if we're ok with not providing the ticket lifetimes and not performing full handshakes, then the situation is much simpler

I think we will have to settle for not being able to gather session ticket lifetimes for more obscure ciphers like SEED or ARIA for some time, but not being able to do it for servers that have just ECDSA certificates is more painful

Answer 3 · 2018-08-30T12:48:21.000Z

how about using 1.0.2 from Peter and 1.1.1?

Answer 4 · 2018-08-30T12:57:45.000Z

because TLS 1.3 ciphers are not the only problem, there are also additions like ARIA that are compatible with TLS 1.2 and there are ciphers that were removed in OpenSSL 1.1.1, so by running the test twice with TLS 1.2, we may end up with two disjoint lists that you can't provide ordering for

also, 1.0.2 will only get harder and harder to compile and run, so migrating from it is more future proof

Answer 5 · 2018-08-30T13:54:44.000Z

wrt to 1.0.2.: I agree moving away from seems future proof. But why should it get harder and harder to compile and run? Did you mean patch ?

Answer 6 · 2018-08-30T13:56:49.000Z

code bit rots

compilers become more and more picky about code they will compile, new architectures are born that will not be supported by the openssl 1.0.2 build system making it impossible to compile on them

Answer 7 · 2018-08-30T14:28:47.000Z

The official end of LTS support is still ahead (12/2019). Will any compiler until then really dare to hiccup?

Answer 8 · 2018-08-30T15:15:54.000Z

I'm not saying that it's something that we have to worry happening "tomorrow", but if we manage to fully convert cipherscan to python in just one year, I'll be surprised

Answer 9 · 2018-09-02T17:29:34.000Z

Great discussion... and not one that's easy to solve.
Granted, I haven't put much time so far in updating the 1.0.2 fork, but, looking at this discussion... What theoretically would make more sense for the OpenSSL fork: "Maintaining" 1.0.2, or backporting/patching a new 1.1.1-insecure fork? It would be so efficient to leverage the OpenSSL codebase for the heavy crypto-lifting, as opposed to implementing the missing parts (see @tomato42 's remarks) in Python

Answer 10 · 2018-09-02T18:06:48.000Z

the only way to show that a server does not support given protocol or cipher is to actually try making a connection with it, so we need something that can do SSLv2 protocol, TLS_RSA_EXP1024_* ciphers, etc.

while it is efficient to reuse OpenSSL's code, their goals are different than ours (and for a good reason), so we will just continue to diverge

oh, and actually, OpenSSL 1.1.1 will not be feature complete enough to scan TLS 1.3 servers running NSS or GnuTLS: openssl/openssl#6519 . Then there is the problem of detecting if the server is not running one of the draft versions of TLS 1.3...

the tlslite-ng primary goal is to power tlsfuzzer, and it in turn has very similar goals to cipherscan – i.e. cipher or protocol termed "insecure" definitely will not be removed, exactly so that it can be used to verify that it doesn't work

also, while it does look like duplication of effort, the effort itself is not large – adding session ticket support is about a day's work, ECDSA support is something like 2 days, fully supporting new cipher is usually like a day or two (not having to worry about performance or side-channels makes the implementation much easier) – problem is that while cipherscan is a hobby project for me, tlslite-ng is a work project, and I want to keep them separate... (workaholism and all that 😄 ) In work, my priority now is TLS 1.3 and maintenance, not plugging holes in TLS 1.2 support ☹️

Answer 11 · 2019-10-03T09:11:15.000Z

Small update: ECDSA is technically[1] supported in tlsllite-ng now: tlsfuzzer/tlslite-ng#359, tlsfuzzer/tlslite-ng#360

OpenSSL master also supports FFDHE now openssl/openssl#6519

1 - I'm saying "technically" as not the full checklist of features is addressed: tlsfuzzer/tlslite-ng#196