Re: [openssl-users] Call for testing TLS 1.3

On 21/06/18 10:44, John Jiang wrote: > If s_server doesn't use option -early_data, the NewSessionTicket won't > contain early_data extension, > and then in the second connection, s_client won't send early data even > option -early_data is used. > Right? Correct. > Is it possible to take

Re: [openssl-users] Call for testing TLS 1.3

2018-06-20 17:01 GMT+08:00 Matt Caswell : > > > On 20/06/18 07:11, John Jiang wrote: > > 2018-06-19 6:21 GMT+08:00 Matt Caswell > >: > > > > > > > > On 18/06/18 21:23, Hubert Kario wrote: > > > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: > > >>

Re: [openssl-users] Call for testing TLS 1.3

On 20/06/18 07:11, John Jiang wrote: > 2018-06-19 6:21 GMT+08:00 Matt Caswell >: > > > > On 18/06/18 21:23, Hubert Kario wrote: > > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: > >> On 08/06/18 02:48, John Jiang wrote: > >>> Is it

Re: [openssl-users] Call for testing TLS 1.3

2018-06-19 6:21 GMT+08:00 Matt Caswell : > > > On 18/06/18 21:23, Hubert Kario wrote: > > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: > >> On 08/06/18 02:48, John Jiang wrote: > >>> Is it possible to check Key/IV update feature via these tools? > >>> Thanks! > >> > >> Yes. See the

Re: [openssl-users] Call for testing TLS 1.3

On 18/06/18 21:23, Hubert Kario wrote: > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: >> On 08/06/18 02:48, John Jiang wrote: >>> Is it possible to check Key/IV update feature via these tools? >>> Thanks! >> >> Yes. See the "CONNECTED COMMANDS" sections of these pages: >>

Re: [openssl-users] Call for testing TLS 1.3

On Sunday, 29 April 2018 12:43:26 CEST Kurt Roeckx wrote: > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > 1.3 brings a lot of changes that might cause incompatibility. For > an overview see https://wiki.openssl.org/index.php/TLS1.3 > > We are considering if we should enable

Re: [openssl-users] Call for testing TLS 1.3

On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: > On 08/06/18 02:48, John Jiang wrote: > > Is it possible to check Key/IV update feature via these tools? > > Thanks! > > Yes. See the "CONNECTED COMMANDS" sections of these pages: > https://www.openssl.org/docs/manmaster/man1/s_server.html

Re: [openssl-users] Call for testing TLS 1.3

On 08/06/18 02:48, John Jiang wrote: > Is it possible to check Key/IV update feature via these tools? > Thanks! Yes. See the "CONNECTED COMMANDS" sections of these pages: https://www.openssl.org/docs/manmaster/man1/s_server.html https://www.openssl.org/docs/manmaster/man1/s_client.html

Re: [openssl-users] Call for testing TLS 1.3

Is it possible to check Key/IV update feature via these tools? Thanks! 2018-05-23 20:33 GMT+08:00 Matt Caswell : > > > On 23/05/18 12:39, John Jiang wrote: > > Hi, > > If just using s_server and s_client, can I test the TLS 1.3 features, > > likes HelloRetryRequest and resumption? > > Yes. > >

Re: [openssl-users] Call for testing TLS 1.3

(For those who are not Jouni, there is some spec work needed for TLS 1.3/EAP integration as well, occurring in the IETF EMU working group. I assume Jouni is on the mailing list and knows this already) -Ben On Mon, May 28, 2018 at 03:28:13PM +0300, Jouni Malinen wrote: > On Sun, Apr 29, 2018 at

Re: [openssl-users] Call for testing TLS 1.3

On Sun, Apr 29, 2018 at 12:43:26PM +0200, Kurt Roeckx wrote: > We are considering if we should enable TLS 1.3 by default or not, > or when it should be enabled. For that, we would like to know how > applications behave with the latest beta release. It looks like couple of TLS 1.3 changes result

Re: [openssl-users] Call for testing TLS 1.3

On 24/05/18 10:58, John Jiang wrote: > Should I see PSK identity here? Or, it is the TLS session ticket. It's the session ticket. > A HelloRetryRequest will occur if the key share provided by the client > is not acceptable to the server. By default the client will send an > X25519

Re: [openssl-users] Call for testing TLS 1.3

Hi Matt, Thanks for your reply! 2018-05-23 20:33 GMT+08:00 Matt Caswell : > > To test resumption first create a full handshake TLSv1.3 connection and > save the session: > > $ openssl s_server -cert cert.pem -key key.pem > $ openssl s_client -sess_out session.pem > > Close the

Re: [openssl-users] Call for testing TLS 1.3

On 23/05/18 12:39, John Jiang wrote: > Hi, > If just using s_server and s_client, can I test the TLS 1.3 features, > likes HelloRetryRequest and resumption? Yes. To create a normal (full handshake) TLSv1.3 connection just use s_server/s_client in the normal way, e.g. $ openssl s_server -cert

Re: [openssl-users] Call for testing TLS 1.3

Hi, If just using s_server and s_client, can I test the TLS 1.3 features, likes HelloRetryRequest and resumption? 2018-04-29 18:43 GMT+08:00 Kurt Roeckx : > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > 1.3 brings a lot of changes that might cause

Re: [openssl-users] Call for testing TLS 1.3

>Interoperability issues with middle-boxes or existing software written for > TLS 1.2. Facebook, Google, and Mozilla did lots of testing with TLS 1.3 and middleboxes. If something was missed, the whole Internet will have problems. Existing software is the question we are trying to

Re: [openssl-users] Call for testing TLS 1.3

On 30/04/18 05:41 PM, Matt Caswell wrote: On 30/04/18 21:55, Dennis Clarke wrote: On 30/04/18 03:48 PM, Salz, Rich via openssl-users wrote:   I think that makes a very strong argument that TLS 1.3 should be enabled by default if it all possible. Question would be "why would it not be?"

Re: [openssl-users] Call for testing TLS 1.3

On 30/04/18 21:55, Dennis Clarke wrote: > On 30/04/18 03:48 PM, Salz, Rich via openssl-users wrote: >>   I think that makes a very strong argument that TLS 1.3 should be >> enabled by default if it all possible. > > > Question would be "why would it not be?" TLSv1.3 behaves differently to

Re: [openssl-users] Call for testing TLS 1.3

> On Apr 30, 2018, at 4:55 PM, Dennis Clarke wrote: > > Question would be "why would it not be?" Interoperability issues with middle-boxes or existing software written for TLS 1.2. -- Viktor. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Call for testing TLS 1.3

On 30/04/18 03:48 PM, Salz, Rich via openssl-users wrote: I think that makes a very strong argument that TLS 1.3 should be enabled by default if it all possible. Question would be "why would it not be?" dc -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Call for testing TLS 1.3

>The issue is most likely that no one "in the wild" has done any testing of significance. I thought the Akamai numbers were significant. I can certainly see tls1.2 exchange but there is nothing for tls1.3 and so I am working on getting a site up pronto ( in the wild ) to

Re: [openssl-users] Call for testing TLS 1.3

On 30/04/18 03:01 PM, Salz, Rich via openssl-users wrote: Sorry, typo. We've had hundreds of millions of connections, with megabytes of data exchanged." The issue is most likely that no one "in the wild" has done any testing of significance. I can certainly see tls1.2 exchange but there

Re: [openssl-users] Call for testing TLS 1.3

Sorry, typo. We've had hundreds of millions of connections, with megabytes of data exchanged." On 4/30/18, 11:52 AM, "Salz, Rich" wrote: Akamai has had millions of connections with megabytes of data exchanged. This is with partial deployment on our network, and

Re: [openssl-users] Call for testing TLS 1.3

Akamai has had millions of connections with megabytes of data exchanged. This is with partial deployment on our network, and requiring customers to opt in to enable beta-testing. We have found no issues. We don't do 0RTT. We are using our own server. I was surprised by how many connections

Re: [openssl-users] Call for testing TLS 1.3

Yes, by default only 3 are anbled, but there are also 2 other supported included in ALL. I must have done something wrong here as I see these 3 only : n0$ LD_LIBRARY_PATH=`pwd`/openssl-1.1.1-pre5_SunOS5.10_sparc64vii+.001 \ > openssl-1.1.1-pre5_SunOS5.10_sparc64vii+.001/apps/openssl \ >

Re: [openssl-users] Call for testing TLS 1.3

On Sun, Apr 29, 2018 at 10:05:39PM -0400, Dennis Clarke wrote: > On 29/04/18 06:43 AM, Kurt Roeckx wrote: > > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > > 1.3 brings a lot of changes that might cause incompatibility. For > > an overview see

Re: [openssl-users] Call for testing TLS 1.3

On 29/04/18 06:43 AM, Kurt Roeckx wrote: The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS 1.3 brings a lot of changes that might cause incompatibility. For an overview see https://wiki.openssl.org/index.php/TLS1.3 Looking at

[openssl-users] Call for testing TLS 1.3

The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS 1.3 brings a lot of changes that might cause incompatibility. For an overview see https://wiki.openssl.org/index.php/TLS1.3 We are considering if we should enable TLS 1.3 by default or not, or when it should be enabled. For that,