[jira] [Commented] (PROTON-1989) TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1

2019-02-22 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16775628#comment-16775628
 ] 

ASF subversion and git services commented on PROTON-1989:
-

Commit 7db4c2c0b720c567d808ae71e49abeb734f5a6a2 in qpid-proton's branch 
refs/heads/master from Andrew Stitcher
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=7db4c2c ]

PROTON-1989: [c] Support TLSv1.3 with openssl 1.1.1


> TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1
> 
>
> Key: PROTON-1989
> URL: https://issues.apache.org/jira/browse/PROTON-1989
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Assignee: Andrew Stitcher
>Priority: Major
>
> OpenSSL 1.1.1 adds protocol version TLSv1_3. The current config interface has 
> no way to enable or disable that version. This was predicted in PROTON-1670.
> The ssl self test tests the customer interface nicely but does not test that 
> the requested TLS versions used by the domain are enforced or not. 
> Qpid-dispatch has a self test that exercises actual connections 
> [https://github.com/apache/qpid-dispatch/blob/master/tests/system_tests_ssl.py]
>  and it is failing with OpenSSL v1.1.1.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org



[jira] [Commented] (PROTON-1989) TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1

2019-02-22 Thread Andrew Stitcher (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16775366#comment-16775366
 ] 

Andrew Stitcher commented on PROTON-1989:
-

I don't think it is helpful to bundle these issues into one JIRA. It seems to 
me that the proximate issue is the dispatch test failure. Which is related to 
the addition of TLS 1.3.

Possible future proofing of the code and the Openssl API deprecation are 
different (though releated) issues.

I'm going to split the issues

> TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1
> 
>
> Key: PROTON-1989
> URL: https://issues.apache.org/jira/browse/PROTON-1989
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Assignee: Andrew Stitcher
>Priority: Major
>
> There are several related issues:
>  * OpenSSL 1.1.1 adds protocol version TLSv1_3. The current config interface 
> has no way to enable or disable that version. This was predicted in 
> PROTON-1670.
>  * The OP_NO_TLSxxx options are deprecated.
>  * The new way to specify TLS versions is through a min-version and 
> max-version scheme. Proton offers no interface for that to client customers.
>  * The ssl self test tests the customer interface nicely but does not test 
> that the requested TLS versions used by the domain are enforced or not. 
> Qpid-dispatch has a self test that exercises actual connections 
> [https://github.com/apache/qpid-dispatch/blob/master/tests/system_tests_ssl.py]
>  and it is failing with OpenSSL v1.1.1.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org



[jira] [Commented] (PROTON-1989) TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1

2019-01-11 Thread Chuck Rolke (JIRA)


[ 
https://issues.apache.org/jira/browse/PROTON-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16740642#comment-16740642
 ] 

Chuck Rolke commented on PROTON-1989:
-

Some of the self test failures in dispatch are:
 * Test server enables TLSv1 and TLSv1_1 and disable TLSv1_2.
 * Test client enables only TLSv1_2.
 * Test expects the connection to fail but the connection succeeds.
 * The error report is that TLSv1_2 should not work but it does.
 * Wireshark reports that the connection succeeds using *TLSv1_3.*

 

> TLS Configuration does not support TLSv1_3 in OpenSSL v1.1.1
> 
>
> Key: PROTON-1989
> URL: https://issues.apache.org/jira/browse/PROTON-1989
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Priority: Major
>
> There are several related issues:
>  * OpenSSL 1.1.1 adds protocol version TLSv1_3. The current config interface 
> has no way to enable or disable that version. This was predicted in 
> PROTON-1670.
>  * The OP_NO_TLSxxx options are deprecated.
>  * The new way to specify TLS versions is through a min-version and 
> max-version scheme. Proton offers no interface for that to client customers.
>  * The ssl self test tests the customer interface nicely but does not test 
> that the requested TLS versions used by the domain are enforced or not. 
> Qpid-dispatch has a self test that exercises actual connections 
> [https://github.com/apache/qpid-dispatch/blob/master/tests/system_tests_ssl.py]
>  and it is failing with OpenSSL v1.1.1.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org