s-zanella
commented
7 years ago In the meantime, this is what I'm doing to test interoperability:
- miTLS 1.2 server -- miTLS 1.2 client:
$ ./mitls.exe -v 1.2 -s 127.0.0.1 4443 -cert ../../data/server.crt -key ../../data/server.key
$ ./mitls.exe -v 1.2 localhost 4443 -CAFile ../../data/ca.crt- miTLS 1.2 server -- OpenSSL 1.2 client
$ ./mitls.exe -v 1.2 -s 127.0.0.1 4443 -cert ../../data/server.crt -key ../../data/server.key
$ openssl1 s_client -tls1_2 -connect localhost:4443 -CAfile ../../data/ca.crt -msg- OpenSSL 1.2 server -- miTLS 1.2 client
$ openssl1 s_server -tls1_2 -accept 4443 -cert ../../data/server.crt -key ../../data/server.key -msg -www
$ ./mitls.exe -v 1.2 localhost 4443 -CAFile ../../data/ca.crt- miTLS 1.3 server -- miTLS 1.3 client
$ ./mitls.exe -v 1.3 -s 127.0.0.1 4443 -cert ../../data/server.crt -key ../../data/server.key
$ ./mitls.exe -v 1.3 localhost 4443 -CAFile ../../data/ca.crt
We should have a target for testing the health of our test client and server, and their interoperability with OpenSSL. We need to cover at least these scenarios, initially with one ciphersuite (i.e. ECDHE-RSA-AES128-GCM-SHA256), then with others as we start supporting them.
e.g.
We could use the certificates and keys checked in at https://github.com/FStarLang/FStar/tree/master/ucontrib/CoreCrypto/ml/pki (with the appropriate hostnames).
The target should check that client and server can exchange a request/response and report any failures (including ideally the reason or error message: negotiation, certificates, signatures, record layer, ...)
For 1.3, here's a wiki that keeps track of existing implementations and test servers: https://github.com/tlswg/tls13-spec/wiki/Implementations