Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTLS允许设置security level和proto version #310

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

NTLS允许设置security level和proto version #310

wants to merge 6 commits into from

Conversation

yangboyd
Copy link

@yangboyd yangboyd commented Oct 2, 2022

NTLS允许设置security level和proto version
SSL_CTX_set_security_level(ctx, 2);
SSL_CTX_set_min_proto_version(ctx, NTLS1_1_VERSION);
SSL_CTX_set_max_proto_version(ctx, NTLS1_1_VERSION);

@CLAassistant
Copy link

CLAassistant commented Oct 2, 2022
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

wa5i
wa5i requested changes Oct 9, 2022
View reviewed changes
ssl/ssl_cert.c Outdated Show resolved Hide resolved
ssl/ssl_cert.c Outdated Show resolved Hide resolved
ssl/ssl_cert.c Outdated Show resolved Hide resolved
@yangboyd yangboyd requested a review from wa5i October 10, 2022 05:47
@yangboyd yangboyd marked this pull request as draft October 10, 2022 06:04
@yangboyd yangboyd marked this pull request as ready for review October 10, 2022 06:05
wa5i
wa5i reviewed Oct 13, 2022
View reviewed changes
ssl/ssl_cert.c Outdated Show resolved Hide resolved
@yangboyd yangboyd requested a review from wa5i October 14, 2022 00:22
wa5i
wa5i reviewed Oct 14, 2022
View reviewed changes
Copy link
Contributor

@wa5i wa5i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
ping @InfoHunter @dongbeiouba

@InfoHunter
Copy link
Member

@wa5i 你需要aprrove,不然现在处于是requested changes状态

dongbeiouba
dongbeiouba requested changes Oct 14, 2022
View reviewed changes
ssl/ssl_cert.c Show resolved Hide resolved
ssl/ssl_cert.c
* Session tickets are disabled.
*/
if (nid == NTLS_VERSION) {
return level > 3 ? 0 : 1;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我理解level >= 3返回0

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

对于NTLS国密协议,level >3返回0; level<=3是适合的,所以返回1. 因为level 3要求ECC密钥至少256位,而国密SSL证书的sm2采用256位密码长度,加密强度等同于3072位RSA证书,所以NTLS1.1满足SSL安全等级level 3的要求。

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

当前的TLCP 1.1并不支持前项安全。

@yangboyd
Copy link
Author

@dongbeiouba 请再review一下

dongbeiouba
dongbeiouba requested changes Oct 24, 2022
View reviewed changes
ssl/ssl_cert.c
* Session tickets are disabled.
*/
if (nid == NTLS_VERSION) {
return level > 3 ? 0 : 1;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

当前的TLCP 1.1并不支持前项安全。

@yangboyd
Copy link
Author

yangboyd commented Nov 2, 2022

@dongbeiouba 大佬确认

@dongbeiouba
Copy link
Member

@dongbeiouba 大佬确认

确认啥?还是没有修改。

如果方便的话,也可以进钉钉群,直接聊更高效一些。

@yangboyd
Copy link
Author

yangboyd commented Nov 8, 2022

@dongbeiouba 大佬确认

确认啥?还是没有修改。

NTLSv1.1协议中的ECDHE-SM2-SM4-CBC-SM3支持前向安全,不用修改?

dongbeiouba
dongbeiouba requested changes Nov 8, 2022
View reviewed changes
ssl/ssl_cert.c
return 0;

/*-
* NTLS v1.1 not suitable for above level 3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

就把这一行注释留下就行,其他没必要,删除吧

@timonwong
Copy link

timonwong commented Nov 1, 2023
edited
Loading

只是个人想法,能不能对 TLS 和 NTLS 分别设置呢?

比如一个server,同时支持国际 TLS 和 NTLS。当使用 TLS 时,我希望使用 TLS 1.2+, NTLS 使用 NTLS 1.1 (目前应该完全不能设置 SSL_CTX_set_min_proto_version / SSL_CTX_set_max_proto_version,后续会报 unsupported protocol 错误

SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);

// 然后 NTLS 使用单独的配置
SSL_CTX_set_min_proto_version_ntls(ctx, NTLS1_1_VERSION);
SSL_CTX_set_max_proto_version_ntls(ctx, NTLS1_1_VERSION);

@timonwong timonwong mentioned this pull request Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@InfoHunter InfoHunter InfoHunter approved these changes

@dongbeiouba dongbeiouba dongbeiouba requested changes

@wa5i wa5i wa5i approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yangboyd @CLAassistant @InfoHunter @dongbeiouba @timonwong @wa5i