Re: openssl s_time: different tally marks for different TLS versions
I'm generally opposed to breaking stdout compatibility with the
"openssl" command tools because we have no clue what shell scripts and
other applications this will break.
with a *very good reason* I think it's ok, but this (I think this
looks better) isn't one of them. the "openssl" command is kept the
way it is *for compatibilityt with crap that wants it*.
If you truly dislike the output - WRITE A NEW TOOL THAT DOESN'T SUCK ;)
On Sat, Sep 15, 2018 at 1:21 PM Scott Cheloha wrote:
>
> Bump.
>
> On Tue, Aug 28, 2018 at 10:33:34AM -0500, Scott Cheloha wrote:
> > Two diffs here.
> >
> > First, move the tally mark printing out of the benchmark loop.
> >
> > Second, print '0' for TLS 1.0, '1' for TLS 1.1, etc.
> >
> > This breaks stdout compatibility with OpenSSL s_time, and prior
> > versions of s_time in general, because 't' was used for TLS 1.0
> > (behavior change) and '2' was used for SSLv2 (marker collision).
> >
> > (The choice of a single character as the mark predated any plans
> > for a successor to SSL. The choice of 't' predated any plans for
> > a revision to TLS.)
> >
> > I think the utility of distinguishing between the various TLS
> > versions at a glance outweighs the value of compatibility with
> > older versions of the software. Especially given how haphazard
> > the stdout behavior of this code is anyway, I don't think we're
> > going to break a zillion scripts. The primary utility of this
> > app is interactive testing and eyeballing your performance.
> >
> > But... if this is unacceptable the alternative is to just print
> > 't' for any and all TLS versions. I think this is less useful,
> > but one can always use s_client, so it isn't the end of the world.
> >
> > Thoughts? ok?
> >
> > PS. Using DTLS to encrypt HTTP isn't a thing, right? It isn't
> > useful to check for DTLS1_VERSION from SSL_version(3)?
> >
> > Diff 1:
> >
> > Index: s_time.c
> > ===
> > RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> > retrieving revision 1.31
> > diff -u -p -r1.31 s_time.c
> > --- s_time.c 28 Aug 2018 14:30:48 - 1.31
> > +++ s_time.c 28 Aug 2018 15:13:18 -
> > @@ -92,6 +92,7 @@ extern int verify_depth;
> > static void s_time_usage(void);
> > static int run_test(SSL *);
> > static int benchmark(int);
> > +static void print_tally_mark(SSL *);
> >
> > static SSL_CTX *tm_ctx = NULL;
> > static const SSL_METHOD *s_time_meth = NULL;
> > @@ -393,6 +394,24 @@ run_test(SSL *scon)
> > return 1;
> > }
> >
> > +static void
> > +print_tally_mark(SSL *scon)
> > +{
> > + int ver;
> > +
> > + if (SSL_session_reused(scon))
> > + ver = 'r';
> > + else {
> > + ver = SSL_version(scon);
> > + if (ver == TLS1_VERSION)
> > + ver = 't';
> > + else
> > + ver = '*';
> > + }
> > + fputc(ver, stdout);
> > + fflush(stdout);
> > +}
> > +
> > static int
> > benchmark(int reuse_session)
> > {
> > @@ -400,7 +419,6 @@ benchmark(int reuse_session)
> > int nConn = 0;
> > SSL *scon = NULL;
> > int ret = 1;
> > - int ver;
> >
> > if (reuse_session) {
> > /* Get an SSL object so we can reuse the session id */
> > @@ -429,18 +447,7 @@ benchmark(int reuse_session)
> > if (!run_test(scon))
> > goto end;
> > nConn += 1;
> > - if (SSL_session_reused(scon))
> > - ver = 'r';
> > - else {
> > - ver = SSL_version(scon);
> > - if (ver == TLS1_VERSION)
> > - ver = 't';
> > - else
> > - ver = '*';
> > - }
> > - fputc(ver, stdout);
> > - fflush(stdout);
> > -
> > + print_tally_mark(scon);
> > if (!reuse_session) {
> > SSL_free(scon);
> > scon = NULL;
> >
> > Diff 1+2:
> >
> > Index: s_time.c
> > ===
> > RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> > retrieving revision 1.31
> > diff -u -p -r1.31 s_time.c
> > --- s_time.c 28 Aug 2018 14:30:48 - 1.31
> > +++ s_time.c 28 Aug 2018 15:15:27 -
> > @@ -92,6 +92,7 @@ extern int verify_depth;
> > static void s_time_usage(void);
> > static int run_test(SSL *);
> > static int benchmark(int);
> > +static void print_tally_mark(SSL *);
> >
> > static SSL_CTX *tm_ctx = NULL;
> > static const SSL_METHOD *s_time_meth = NULL;
> > @@ -393,6 +394,33 @@ run_test(SSL *scon)
> > return 1;
> > }
> >
> > +static void
> > +print_tally_mark(SSL *scon)
> > +{
> > + int mark;
> > +
> > + if (SSL_session_reused(scon)) {
> > + mark = 'r';
> > + goto print;
> > + }
> > + switch (SSL_version(scon)) {
> > + case TLS1_VERSION:
> > +
Re: openssl s_time: different tally marks for different TLS versions
Bump.
On Tue, Aug 28, 2018 at 10:33:34AM -0500, Scott Cheloha wrote:
> Two diffs here.
>
> First, move the tally mark printing out of the benchmark loop.
>
> Second, print '0' for TLS 1.0, '1' for TLS 1.1, etc.
>
> This breaks stdout compatibility with OpenSSL s_time, and prior
> versions of s_time in general, because 't' was used for TLS 1.0
> (behavior change) and '2' was used for SSLv2 (marker collision).
>
> (The choice of a single character as the mark predated any plans
> for a successor to SSL. The choice of 't' predated any plans for
> a revision to TLS.)
>
> I think the utility of distinguishing between the various TLS
> versions at a glance outweighs the value of compatibility with
> older versions of the software. Especially given how haphazard
> the stdout behavior of this code is anyway, I don't think we're
> going to break a zillion scripts. The primary utility of this
> app is interactive testing and eyeballing your performance.
>
> But... if this is unacceptable the alternative is to just print
> 't' for any and all TLS versions. I think this is less useful,
> but one can always use s_client, so it isn't the end of the world.
>
> Thoughts? ok?
>
> PS. Using DTLS to encrypt HTTP isn't a thing, right? It isn't
> useful to check for DTLS1_VERSION from SSL_version(3)?
>
> Diff 1:
>
> Index: s_time.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> retrieving revision 1.31
> diff -u -p -r1.31 s_time.c
> --- s_time.c 28 Aug 2018 14:30:48 - 1.31
> +++ s_time.c 28 Aug 2018 15:13:18 -
> @@ -92,6 +92,7 @@ extern int verify_depth;
> static void s_time_usage(void);
> static int run_test(SSL *);
> static int benchmark(int);
> +static void print_tally_mark(SSL *);
>
> static SSL_CTX *tm_ctx = NULL;
> static const SSL_METHOD *s_time_meth = NULL;
> @@ -393,6 +394,24 @@ run_test(SSL *scon)
> return 1;
> }
>
> +static void
> +print_tally_mark(SSL *scon)
> +{
> + int ver;
> +
> + if (SSL_session_reused(scon))
> + ver = 'r';
> + else {
> + ver = SSL_version(scon);
> + if (ver == TLS1_VERSION)
> + ver = 't';
> + else
> + ver = '*';
> + }
> + fputc(ver, stdout);
> + fflush(stdout);
> +}
> +
> static int
> benchmark(int reuse_session)
> {
> @@ -400,7 +419,6 @@ benchmark(int reuse_session)
> int nConn = 0;
> SSL *scon = NULL;
> int ret = 1;
> - int ver;
>
> if (reuse_session) {
> /* Get an SSL object so we can reuse the session id */
> @@ -429,18 +447,7 @@ benchmark(int reuse_session)
> if (!run_test(scon))
> goto end;
> nConn += 1;
> - if (SSL_session_reused(scon))
> - ver = 'r';
> - else {
> - ver = SSL_version(scon);
> - if (ver == TLS1_VERSION)
> - ver = 't';
> - else
> - ver = '*';
> - }
> - fputc(ver, stdout);
> - fflush(stdout);
> -
> + print_tally_mark(scon);
> if (!reuse_session) {
> SSL_free(scon);
> scon = NULL;
>
> Diff 1+2:
>
> Index: s_time.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> retrieving revision 1.31
> diff -u -p -r1.31 s_time.c
> --- s_time.c 28 Aug 2018 14:30:48 - 1.31
> +++ s_time.c 28 Aug 2018 15:15:27 -
> @@ -92,6 +92,7 @@ extern int verify_depth;
> static void s_time_usage(void);
> static int run_test(SSL *);
> static int benchmark(int);
> +static void print_tally_mark(SSL *);
>
> static SSL_CTX *tm_ctx = NULL;
> static const SSL_METHOD *s_time_meth = NULL;
> @@ -393,6 +394,33 @@ run_test(SSL *scon)
> return 1;
> }
>
> +static void
> +print_tally_mark(SSL *scon)
> +{
> + int mark;
> +
> + if (SSL_session_reused(scon)) {
> + mark = 'r';
> + goto print;
> + }
> + switch (SSL_version(scon)) {
> + case TLS1_VERSION:
> + mark = '0';
> + break;
> + case TLS1_1_VERSION:
> + mark = '1';
> + break;
> + case TLS1_2_VERSION:
> + mark = '2';
> + break;
> + default:
> + mark = '*';
> + }
> + print:
> + fputc(mark, stdout);
> + fflush(stdout);
> +}
> +
> static int
> benchmark(int reuse_session)
> {
> @@ -400,7 +428,6 @@ benchmark(int reuse_session)
> int nConn = 0;
> SSL *scon = NULL;
> int ret = 1;
> - int ver;
>
> if (reuse_session) {
> /* Get an SSL object so we can reuse the session id */
> @@ -429,18 +456,7 @@ benchmark(int reuse_session)
> if (!run_test(scon))
> goto end;
openssl s_time: different tally marks for different TLS versions
Two diffs here.
First, move the tally mark printing out of the benchmark loop.
Second, print '0' for TLS 1.0, '1' for TLS 1.1, etc.
This breaks stdout compatibility with OpenSSL s_time, and prior
versions of s_time in general, because 't' was used for TLS 1.0
(behavior change) and '2' was used for SSLv2 (marker collision).
(The choice of a single character as the mark predated any plans
for a successor to SSL. The choice of 't' predated any plans for
a revision to TLS.)
I think the utility of distinguishing between the various TLS
versions at a glance outweighs the value of compatibility with
older versions of the software. Especially given how haphazard
the stdout behavior of this code is anyway, I don't think we're
going to break a zillion scripts. The primary utility of this
app is interactive testing and eyeballing your performance.
But... if this is unacceptable the alternative is to just print
't' for any and all TLS versions. I think this is less useful,
but one can always use s_client, so it isn't the end of the world.
Thoughts? ok?
PS. Using DTLS to encrypt HTTP isn't a thing, right? It isn't
useful to check for DTLS1_VERSION from SSL_version(3)?
Diff 1:
Index: s_time.c
===
RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
retrieving revision 1.31
diff -u -p -r1.31 s_time.c
--- s_time.c28 Aug 2018 14:30:48 - 1.31
+++ s_time.c28 Aug 2018 15:13:18 -
@@ -92,6 +92,7 @@ extern int verify_depth;
static void s_time_usage(void);
static int run_test(SSL *);
static int benchmark(int);
+static void print_tally_mark(SSL *);
static SSL_CTX *tm_ctx = NULL;
static const SSL_METHOD *s_time_meth = NULL;
@@ -393,6 +394,24 @@ run_test(SSL *scon)
return 1;
}
+static void
+print_tally_mark(SSL *scon)
+{
+ int ver;
+
+ if (SSL_session_reused(scon))
+ ver = 'r';
+ else {
+ ver = SSL_version(scon);
+ if (ver == TLS1_VERSION)
+ ver = 't';
+ else
+ ver = '*';
+ }
+ fputc(ver, stdout);
+ fflush(stdout);
+}
+
static int
benchmark(int reuse_session)
{
@@ -400,7 +419,6 @@ benchmark(int reuse_session)
int nConn = 0;
SSL *scon = NULL;
int ret = 1;
- int ver;
if (reuse_session) {
/* Get an SSL object so we can reuse the session id */
@@ -429,18 +447,7 @@ benchmark(int reuse_session)
if (!run_test(scon))
goto end;
nConn += 1;
- if (SSL_session_reused(scon))
- ver = 'r';
- else {
- ver = SSL_version(scon);
- if (ver == TLS1_VERSION)
- ver = 't';
- else
- ver = '*';
- }
- fputc(ver, stdout);
- fflush(stdout);
-
+ print_tally_mark(scon);
if (!reuse_session) {
SSL_free(scon);
scon = NULL;
Diff 1+2:
Index: s_time.c
===
RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
retrieving revision 1.31
diff -u -p -r1.31 s_time.c
--- s_time.c28 Aug 2018 14:30:48 - 1.31
+++ s_time.c28 Aug 2018 15:15:27 -
@@ -92,6 +92,7 @@ extern int verify_depth;
static void s_time_usage(void);
static int run_test(SSL *);
static int benchmark(int);
+static void print_tally_mark(SSL *);
static SSL_CTX *tm_ctx = NULL;
static const SSL_METHOD *s_time_meth = NULL;
@@ -393,6 +394,33 @@ run_test(SSL *scon)
return 1;
}
+static void
+print_tally_mark(SSL *scon)
+{
+ int mark;
+
+ if (SSL_session_reused(scon)) {
+ mark = 'r';
+ goto print;
+ }
+ switch (SSL_version(scon)) {
+ case TLS1_VERSION:
+ mark = '0';
+ break;
+ case TLS1_1_VERSION:
+ mark = '1';
+ break;
+ case TLS1_2_VERSION:
+ mark = '2';
+ break;
+ default:
+ mark = '*';
+ }
+ print:
+ fputc(mark, stdout);
+ fflush(stdout);
+}
+
static int
benchmark(int reuse_session)
{
@@ -400,7 +428,6 @@ benchmark(int reuse_session)
int nConn = 0;
SSL *scon = NULL;
int ret = 1;
- int ver;
if (reuse_session) {
/* Get an SSL object so we can reuse the session id */
@@ -429,18 +456,7 @@ benchmark(int reuse_session)
if (!run_test(scon))
goto end;
nConn += 1;
- if (SSL_session_reused(scon))
- ver = 'r';
- else {
- ver = SSL_version(scon);
- if (ver == TLS1_VERSION)
-
