Conversation
| case "$(uname -s)" in | ||
| Darwin) | ||
| opensslbin_name="openssl-darwin64" | ||
| openssl_legacy_bin_name="openssl-darwin64" |
There was a problem hiding this comment.
Yeah, until I build a recent openssl for darwin.
|
Any objection to merge this? (other than travisci being stupid) |
|
I haven't really gone through this, I should have some time to do it this weekend |
tomato42
left a comment
tomato42
left a comment
There was a problem hiding this comment.
sorry for the delay, I should be able to reply promptly to any following changes/comments
in general it's OK, but as I've said before we still have the problem with different ciphers supported by different version of OpenSSL
| SHORTCIPHERSUITESTRING="$joined_array" | ||
|
|
||
| # TLS 1.3 is different from other versions of the protocol and | ||
| # ciphersuites must be passed to openssl explicitely |
| # extract selected protocol and cipher | ||
| if [[ $line =~ New,\ ]]; then | ||
| local match=($line) | ||
| current_protocol="${match[1]%%,}" |
There was a problem hiding this comment.
don't older versions print SSL3/TLS1 here?
|
|
||
| # extract used protocol | ||
| if [[ $line =~ ^Protocol\ + ]]; then | ||
| if [[ $line =~ Protocol\ + ]]; then |
| ratelimit | ||
| verbose "Testing fallback with ${sslcommand[*]} -no_tls1_2" | ||
| local tmp=$(echo Q | "${sslcommand[@]}" -no_tls1_2 2>/dev/null) | ||
| verbose "Testing fallback with ${sslcommand[*]} -no_tls1_3 -no_tls1_2" |
There was a problem hiding this comment.
if we are adding that unconditionally, then we need to check for version of OpenSSL (if provided by user) and abort if it's not 1.1.1
|
oh, and maybe try to rebase on top of master? |
2 participants
I finally decided to take the easiest possible route and create a new openssl binary based off 1.1.1, and rename the previous binary as legacy. This will allow us to keep support for old ciphers/protocols and track the latest features at the same time.
Since TLS1.3 is fairly different from previous versions, I created a separate function to scan for it. We can't use the usual "discard previous used cipher" algorithm with it, as OpenSSL doesn't support the
!flag in the-ciphersuitesparameter, but the logic isn't that different otherwise.The refactoring caused a few issues that I think are now all fixed, but we should still test heavily before merging this patch.