[ 
https://issues.apache.org/jira/browse/PROTON-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16740642#comment-16740642
 ] 

Chuck Rolke commented on PROTON-1989:
-------------------------------------

Some of the self test failures in dispatch are:
 * Test server enables TLSv1 and TLSv1_1 and disable TLSv1_2.
 * Test client enables only TLSv1_2.
 * Test expects the connection to fail but the connection succeeds.
 * The error report is that TLSv1_2 should not work but it does.
 * Wireshark reports that the connection succeeds using *TLSv1_3.*

 

> TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1
> ------------------------------------------------------------
>
>                 Key: PROTON-1989
>                 URL: https://issues.apache.org/jira/browse/PROTON-1989
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>    Affects Versions: proton-c-0.26.0
>         Environment: Fedora 29, Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018
>            Reporter: Chuck Rolke
>            Priority: Major
>
> There are several related issues:
>  * OpenSSL 1.1.1 adds protocol version TLSv1_3. The current config interface 
> has no way to enable or disable that version. This was predicted in 
> PROTON-1670.
>  * The OP_NO_TLSxxx options are deprecated.
>  * The new way to specify TLS versions is through a min-version and 
> max-version scheme. Proton offers no interface for that to client customers.
>  * The ssl self test tests the customer interface nicely but does not test 
> that the requested TLS versions used by the domain are enforced or not. 
> Qpid-dispatch has a self test that exercises actual connections 
> [https://github.com/apache/qpid-dispatch/blob/master/tests/system_tests_ssl.py]
>  and it is failing with OpenSSL v1.1.1.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to