Open dougch opened 1 year ago
Stderr: SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
Can't use SSL_get_servername
SSL_connect:SSLv3/TLS read server hello
depth=0 C = US, ST = WA, L = Seattle, O = Amazon, OU = s2n, CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = WA, L = Seattle, O = Amazon, OU = s2n, CN = localhost
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL3 alert write:fatal:internal error
SSL_connect:error in error
20D4AF86FFFF0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2254:
It looks like this is probably a result of OpenSSL 3.0 disabling a number of legacy parameters.
When I restricted the Protocols to TLS 1.2 and TLS 1.3 the happy path test successfully completed with OpenSSL 3.0.8 as a provider.
Security issue notifications
If you discover a potential security issue in s2n we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.
Problem:
While adding Openssl3 libcrypto to the nix devShell, observed that many integration tests, and happy_path specifically, fail under nix, while passing on our standard Ubuntu18 image.
On ubuntu18, even when we build s2n-tls against openssl3, we're testing using the openssl 1.1.1 binary for s_client. Testing under nix with the openssl3 binary for s_client fails. We may need to create a new test provider for openssl3 and make sure our flags and interaction with s_client are version aware.
s2nd launched with:
s_client launched with:
Solution:
WIP
Requirements / Acceptance Criteria:
What must a solution address in order to solve the problem? How do we know the solution is complete?
Out of scope:
Is there anything the solution will intentionally NOT address?