Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS compatibility for test cases #563

Open
tomato42 opened this issue Aug 15, 2019 · 0 comments
Open

FIPS compatibility for test cases #563

tomato42 opened this issue Aug 15, 2019 · 0 comments
Labels
complex Issues that require good knowledge of tlsfuzzer internals enhancement new feature to be implemented help wanted
Projects
TLS 1.2 coverage

Comments

@tomato42
Copy link
Member

tomato42 commented Aug 15, 2019
edited

Bug Report

Problem description

Many TLS 1.2 test cases depend on the server having support for kRSA ciphers, in particular, the TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite. In new FIPS requirements, only DHE and ECDHE key exchange is supported. That means not only the client may need to advertise a curve for interoperability (P-256, P-384 or P-521 in this case), but it also requires the support for SHA-256 to be advertised (as support for SHA-1 is also disallowed in FIPS mode).

Some of the new (as of 2022) libraries also don't enable CBC ciphers, even though FIPS still allows them.

Expected behaviour

The problem is, that adding two extensions to the ClientHello does change the test cases quite significantly (and also requires expecting the ServerKeyExchange message). So it would be better to provide it as an option rather than to switch all test cases to this new approach.

The test cases that were modified use the -d option to do that. For consistency others should do the same.

It would also be good to have the -C option to set used ciphersuite more universally supported.
@tomato42 tomato42 added enhancement new feature to be implemented help wanted complex Issues that require good knowledge of tlsfuzzer internals labels Aug 15, 2019
@tomato42 tomato42 added this to To do in TLS 1.2 coverage via automation Aug 15, 2019
@tomato42 tomato42 mentioned this issue Aug 19, 2019
Merged
10 tasks
This was referenced Aug 21, 2019
Merged
Merged
@tomato42 tomato42 mentioned this issue Aug 29, 2019
Merged
10 tasks
@tomato42 tomato42 pinned this issue Aug 29, 2019
This was referenced Aug 29, 2019
Merged
Merged
Merged
Merged
Merged
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 4, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
3e8c4db 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@t184256 t184256 mentioned this issue Sep 4, 2019
Merged
10 tasks
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 4, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
a464376 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@tomato42 tomato42 mentioned this issue Sep 4, 2019
Merged
10 tasks
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
a422d0a 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
eac647f 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
94ee012 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
9c107c3 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
93b8076 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 5, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
426b868 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
tomato42 added a commit that referenced this issue Sep 5, 2019
@tomato42
fallback-scsv: add support for DHE/ECDHE ciphersuites
c489a20 
FIPS mode compatibility – #563
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 6, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
a940b05 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 6, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
0aa4c53 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 6, 2019
@t184256
test-extended-master-secret*: -d for (EC)DHE
54f29ad 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@inikolcev inikolcev mentioned this issue Sep 9, 2019
Merged
10 tasks
tomato42 added a commit that referenced this issue Sep 9, 2019
@tomato42
atypical-padding: modernise, allow running against DHE/ECDHE-only ser…
2e7c0bb 
…vers

this is in relation to #563
tomato42 added a commit that referenced this issue Sep 9, 2019
@tomato42
atypical-padding: modernise, allow running against DHE/ECDHE-only ser…
8060bc6 
…vers

this is in relation to #563
tomato42 added a commit that referenced this issue Sep 10, 2019
@tomato42
atypical-padding: modernise, allow running against DHE/ECDHE-only ser…
bc7ff2a 
…vers

this is in relation to #563
@inikolcev inikolcev mentioned this issue Sep 10, 2019
Merged
10 tasks
tomato42 added a commit that referenced this issue Sep 11, 2019
@tomato42
atypical-padding: modernise, allow running against DHE/ECDHE-only ser…
0bc8c59 
…vers

this is in relation to #563
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 12, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
418dce6 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 12, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
a68b9b9 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@inikolcev inikolcev mentioned this issue Sep 12, 2019
Merged
10 tasks
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 13, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
83d0dc3 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 13, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
894b7ad 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@The-Mule The-Mule mentioned this issue Sep 17, 2019
Merged
10 tasks
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 19, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
4ba2d4c 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 19, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
8348bbd 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
t184256 added a commit to t184256/tlsfuzzer that referenced this issue Sep 19, 2019
@t184256
test-legacy-renegotiation: -d for (EC)DHE
59c08b5 
Add an option to negotiate (EC)DHE instead of RSA key exchange
for scripts/test-extended-master-secret-extension*.py

See the tlsfuzzer#563 (umbrella bug) for the context.
@t184256 t184256 mentioned this issue Dec 5, 2019
Merged
10 tasks
This was referenced Dec 13, 2019
Merged
Merged
@tomato42 tomato42 mentioned this issue Feb 24, 2021
Merged
10 tasks
@tomato42 tomato42 mentioned this issue May 24, 2021
Merged
10 tasks
@tomato42 tomato42 mentioned this issue Jun 15, 2021
Merged
10 tasks
@tomato42 tomato42 mentioned this issue Aug 6, 2021
Merged
10 tasks
This was referenced May 10, 2022
Merged
Merged
@tomato42 tomato42 mentioned this issue May 27, 2022
Merged
10 tasks
@tomato42 tomato42 mentioned this issue Sep 2, 2022
Merged
10 tasks
@tomato42 tomato42 mentioned this issue Mar 10, 2023
Open
@tomato42 tomato42 mentioned this issue Apr 13, 2023
Merged
@tomato42 tomato42 mentioned this issue Jan 16, 2024
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
complex Issues that require good knowledge of tlsfuzzer internals enhancement new feature to be implemented help wanted
Projects
TLS 1.2 coverage
  
To do
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomato42