-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moving away from Scapy-ssl_tls and fix tls/ tests #179
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use TLSExtCertificateStatusRequest() provided by Scapy-TLS instead of raw type-only extension.
Essencial parts of the library are moved into tls/ directory and are supposed for further truncation, fixes and migration to Python 3.
(tintinweb/scapy-ssl_tls#163). RFC 5246 6.2.3.3 requires the explicit nonce (most usually sequence number) in the additional authenticated data (AAD), however crypto_data.sequence, used for the AAD creation in EAEADCryptoContainer, wasn't initialized with the explicit_nonce.
check to reveal problems like tempesta-tech/tempesta#1470
tls: add tests for tls tickets
scapy 2.4.0, which has different x509 API.
terminates connection of unsuppoted TLS version with PROTOCOL_VERSION alert instead of warnings in dmesg.
krizhanovsky
changed the title
Scapy-ssl_tls fixes
Moving away from Scapy-ssl_tls and fix tls/ tests
Dec 10, 2020
Use TLSExtCertificateStatusRequest() provided by Scapy-TLS instead of raw type-only extension.
Essencial parts of the library are moved into tls/ directory and are supposed for further truncation, fixes and migration to Python 3.
(tintinweb/scapy-ssl_tls#163). RFC 5246 6.2.3.3 requires the explicit nonce (most usually sequence number) in the additional authenticated data (AAD), however crypto_data.sequence, used for the AAD creation in EAEADCryptoContainer, wasn't initialized with the explicit_nonce.
check to reveal problems like tempesta-tech/tempesta#1470
scapy 2.4.0, which has different x509 API.
terminates connection of unsuppoted TLS version with PROTOCOL_VERSION alert instead of warnings in dmesg.
…est into ak-tls-134-1310
'Traffic wasn't captured' in tls.test_tls_integrity.Proxy.test_tcp_segs test. Add notes for #120 to fix the timeouts on run_cmd() interface. Use -n switch for tcpdump to make it run faster.
tempesta-tech/tempesta#1325 : the test originally didn't consider the TLS handshake overhead.
the TLS version - now we'll see what we have in Server Hello (issue #154).
vankoven
approved these changes
Dec 25, 2020
Update comments on #120.
have to install it with pip. Move sleep() to Sniffer.start() and other users may struggle from the same race with starting the sniffer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #134
Move Scapy-ssl_tls into tempesta-test/tls/ and fix GCM tags verification (Verification of GCM tag failed: MAC check failed tempesta#1310)
Port x509 fields retrieveal for the new Scapy 2.4.4
Adjust close_notify test to expect an alert from Tempesta FW side of correct level and message. Also add length check to catch bugs like Corrupted <fatal, unexpected message> alert tempesta#1470
Minor fixes and improvements
Fixed Tempesta TLS generates non optimal TCP segments tempesta#1325
Please double check that all tls/ tests pass now.