Add ecc extensions only if ecc ciphersuite is used #1378
Conversation
mpg
added
the
needs-review
simonbutcher
added
the
needs-backports
Fix compliancy to RFC4492. ECC extensions should be included only if ec ciphersuites are used. Interoperability issue with bouncy castle. Mbed-TLS#1157
|
Rebased and added an entry in the ChangeLog |
Add an entry in the ChangeLog, describing the fix.
There was a problem hiding this comment.
Besides the suggested improvements to the ChangeLog entry, I think this PR lacks a test.
It should be easy enough to add one in ssl-opt.sh by forcing a non-ECC ciphersuite and then checking for the absence of the ECC extensions in the debug logs of the client and server. Also have a test where the client offers many suites, some of them ECC, and the server picks a non-ECC suite. (And perhaps, just to be sure, a test with an ECC suite just to be extra sure the extensions are present when they should be, and contrast with the other two tests.)
| = mbed TLS x.x.x branch released xxxx-xx-xx | ||
|
|
||
| Bugfix | ||
| * Add ecc extensions only if an ecc based ciphersuite is used. |
There was a problem hiding this comment.
I think ChangeLog entries should provide more context. For example here, "In TLS, add ECC extensions to the ClientHello and ServerHello messages only if". (And ECC should be capitalized while at it.)
Also, "Affects interop" is ambiguous and not a complete sentence. How about: "This improves compliance to RFC 4492, and as a result, solves interoperability issues with BouncyCastle."?
RonEld
added
needs-work
and removed
needs-review
Update ChangeLog with a less ambigous description.
Add test to verify if an ecc based extension exists or not if an ecc based ciphersuite is used or not.
|
@mpg I added a test i |
RonEld
added
needs-review
|
Note: CI only failed in the timing test that is known to be flaky (#1517), so not a blocker for merging. |
I meant interop tests with openssl and GnuTLS, but I see your point. Thanks for approving! |
1. Update the test script to un the ECC tests only if the relevant configurations are defined in `config.h` file 2. Change the HASH of the ciphersuite from SHA1 based to SHA256 for better example
|
@mpg I updated the test to run conditionally only if the relevant modules are defined in the configuration. |
andresag01
removed
needs-backports
|
This PR and its backports have been fully approved cc @sbutcher-arm |
simonbutcher
added
approved
Description
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. Resolves #1157
Status
IN DEVELOPMENT
Requires Backporting
Yes
Which branch?
comments
Missing tests, ChangeLog
Todos
Steps to test or reproduce
Outline the steps to test or reproduce the PR here.