mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
2fe3e2b682
We recently turned on the TLSv1.3 downgrade sentinels by default. Unfortunately we are using a very old version of the BoringSSL test runner which uses an old draft implementation of TLSv1.3 that also uses the downgrade sentinels by default. The two implementations do not play well together and were causing spurious test failures. Until such time as we update the BoringSSL test runner we disable the failing tests: SendFallbackSCSV In this test the client is OpenSSL and the server is the boring test runner. The client and server fail to negotiate TLSv1.3 because the test runner is using an old draft TLSv1.3 version. The server does however add the TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we recently turned on checking of the downgrade sentinels on the client side this causes the connection to fail. VersionNegotiationExtension-TLS11 In this test the test runner is the client and OpenSSL is the server. The test modifies the supported_versions extension sent by the client to only include TLSv1.1 (and some other spurious versions), even though the client does actually support TLSv1.2. The server successfully selects TLSv1.1, but adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently switched on by default. The test runner then checks the downgrade sentinel and aborts the connection because it knows that it really supports TLSv1.2. VersionNegotiationExtension-TLS1 VersionNegotiationExtension-SSL3 The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3. ConflictingVersionNegotiation In this test the client is the test runner, and OpenSSL is the server. The client offers TLSv1.2 in ClientHello.version, but also adds a supported_versions extension that only offers TLSv1.1. The supported_versions extension takes precedence and the server (correctly) selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade sentinel. On the client side it knows it actually offered TLSv1.2 and so the downgrade sentinel check fails. [extended tests] Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013) |
||
|---|---|---|
| .github | ||
| apps | ||
| boringssl@2070f8ad91 | ||
| Configurations | ||
| crypto | ||
| demos | ||
| doc | ||
| engines | ||
| external/perl | ||
| fuzz | ||
| include | ||
| krb5@b9ad6c4950 | ||
| ms | ||
| os-dep | ||
| pyca-cryptography@58fd9c412a | ||
| ssl | ||
| test | ||
| tools | ||
| util | ||
| VMS | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .travis-apt-pin.preferences | ||
| .travis-create-release.sh | ||
| .travis.yml | ||
| ACKNOWLEDGEMENTS | ||
| appveyor.yml | ||
| AUTHORS | ||
| build.info | ||
| CHANGES | ||
| config | ||
| config.com | ||
| Configure | ||
| CONTRIBUTING | ||
| e_os.h | ||
| FAQ | ||
| INSTALL | ||
| LICENSE | ||
| NEWS | ||
| NOTES.ANDROID | ||
| NOTES.DJGPP | ||
| NOTES.PERL | ||
| NOTES.UNIX | ||
| NOTES.VMS | ||
| NOTES.WIN | ||
| README | ||
| README.ENGINE | ||
| README.FIPS | ||
OpenSSL 1.1.1-pre10-dev
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
DESCRIPTION
-----------
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocols (including SSLv3) as well as a
full-strength general purpose cryptographic library.
OpenSSL is descended from the SSLeay library developed by Eric A. Young
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
OpenSSL license plus the SSLeay license), which means that you are free to
get and use it for commercial and non-commercial purposes as long as you
fulfill the conditions of both licenses.
OVERVIEW
--------
The OpenSSL toolkit includes:
libssl (with platform specific naming):
Provides the client and server-side implementations for SSLv3 and TLS.
libcrypto (with platform specific naming):
Provides general cryptographic and X.509 support needed by SSL/TLS but
not logically part of it.
openssl:
A command line tool that can be used for:
Creation of key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of message digests
Encryption and decryption
SSL/TLS client and server tests
Handling of S/MIME signed or encrypted mail
And more...
INSTALLATION
------------
See the appropriate file:
INSTALL Linux, Unix, Windows, OpenVMS, ...
NOTES.* INSTALL addendums for different platforms
SUPPORT
-------
See the OpenSSL website www.openssl.org for details on how to obtain
commercial technical support. Free community support is available through the
openssl-users email list (see
https://www.openssl.org/community/mailinglists.html for further details).
If you have any problems with OpenSSL then please take the following steps
first:
- Download the latest version from the repository
to see if the problem has already been addressed
- Configure with no-asm
- Remove compiler optimization flags
If you wish to report a bug then please include the following information
and create an issue on GitHub:
- OpenSSL version: output of 'openssl version -a'
- Configuration data: output of 'perl configdata.pm --dump'
- OS Name, Version, Hardware platform
- Compiler Details (name, version)
- Application Details (name, version)
- Problem Description (steps that will reproduce the problem, if known)
- Stack Traceback (if the application dumps core)
Just because something doesn't work the way you expect does not mean it
is necessarily a bug in OpenSSL. Use the openssl-users email list for this type
of query.
HOW TO CONTRIBUTE TO OpenSSL
----------------------------
See CONTRIBUTING
LEGALITIES
----------
A number of nations restrict the use or export of cryptography. If you
are potentially subject to such restrictions you should seek competent
professional legal advice before attempting to develop or distribute
cryptographic code.