Open 1div0 opened 1 month ago
Hi @1div0
I was not able to reproduce with ./configure --enable-opensslall --enable-ech
But I was able to reproduce with ./configure --enable-opensslall --enable-ech --enable-harden-tls
I will review and provide an update.
Thanks, @embhorn - wolfSSL Support
The harden-tls
option is conflicting with the ech
option. You can overcome this using the override for checking the truncated hmac extension (which is enabled by the ech
option), WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
.
./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC'
Else, if you do not need to use the truncated HMAC extension, you can disable it explicitly with:
./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-UHAVE_TRUNCATED_HMAC'
This option is better, as it does not lower the overall security.
Let me know if that resolves the issue for you.
@embhorn thank you so much for the quick response.
I tried both options, library compilation succeeded. However there is failing one test 610: test_wolfSSL_cert_cb_dyn_ciphers ` 610: test_wolfSSL_cert_cb_dyn_ciphers :Client message: hello wolfssl! Server response: I hear you fa shizzle! Client message: hello wolfssl! Server response: I hear you fa shizzle! Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs Testing DHE-RSA-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs
ERROR - ../../../../tests/api.c line 68738 failed with: expected: wolfSSL_CTX_set_cipher_list(ctx, test_wolfSSL_cert_cb_dyn_ciphers_client_cipher) == WOLFSSL_SUCCESS result: 0 != 1
ERROR - ../../../../tests/api.c line 7120 failed with: expected: ctx->c_cb.ctx_ready(ctx->c_ctx) == (1) result: 0 != 1
ERROR - ../../../../tests/api.c line 7429 failed with: expected: test_ssl_memio_setup(&test_ctx) == (1) result: 0 != 1
ERROR - ../../../../tests/api.c line 68889 failed with: expected: test_wolfSSL_client_server_nofail_memio(&func_cb_client, &func_cb_server, ((void*)0)) == (1) result: 0 != 1
Testing ECDHE-ECDSA-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs
failed ( 0.01100)
ERROR - ../../../../tests/api.c line 96451 failed with: expected: Test failed
result: ret 0
`
Contact Details
peter.kovar@reflexion.tv
Version
master
Description
Configuration error combining --enable-opensslall and --enable-ech
Fedora Linux 40
Reproduction steps
I have encountered the configuration error while adding ECH option.
./configure --enable-curve25519 --enable-ed25519 --enable-opensslall --enable-opensslextra --enable-dtls --enable-dtls13 --enable-certgen --enable-keygen --enable-intelasm --enable-benchmark --enable-harden --enable-harden-tls --enable-ech
Relevant log output