-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL_get_ciphers() lacks TLSv1.3 ciphersuites #1638
Comments
…ration SSL_get_ciphers() in AWS-LC seems to lack the TLSv1.3 ciphersuites, which break the ECDSA key selection when doing TLSv1.3. An issue was opened aws/aws-lc#1638 Indeed, in ssl_sock_switchctx_cbk(), the sigalgs is used to determine if ECDSA is doable or not, then the function compares the list of ciphers in the clienthello with the list of configured ciphers. The fix solves the issue by never skipping the TLSv1.3 ciphersuites, even if they are not in SSL_get_ciphers().
…ration SSL_get_ciphers() in AWS-LC seems to lack the TLSv1.3 ciphersuites, which break the ECDSA key selection when doing TLSv1.3. An issue was opened aws/aws-lc#1638 Indeed, in ssl_sock_switchctx_cbk(), the sigalgs is used to determine if ECDSA is doable or not, then the function compares the list of ciphers in the clienthello with the list of configured ciphers. The fix solves the issue by never skipping the TLSv1.3 ciphersuites, even if they are not in SSL_get_ciphers().
Thank you, William @wlallemand, for bringing the issue to our attention and proposing a solution. We’ll take some time to see if we can implement it as requested. |
Internal tracking CryptoAlg-2559. |
Noticed the same with The MySQL Ssl_cipher_list status variable is missing TLS v1.3 cipher suites when using AWS-LC Noticed this ToDo about merging TLS v1.3 ciphersuites into |
Hello,
Problem:
I'm porting the HAProxy client_hello callback that is used with OpenSSL to the select_certificate equivalent in AWS-LC, in order to enable more features in HAProxy and activate more reg-tests. Our callback is using the SSL_get_ciphers() function to compare the ciphers from the server side to the ciphers from the clienthello.
The SSL_get_ciphers() functions does not seems to return any TLS 1.3 ciphersuites even if they are used unlike the SSL_get_ciphers() function from OpenSSL.
Attached a simple server example to reproduce:
Building with aws-lc:
gcc server.c -DUSE_AWSLC -I/opt/awslc-1.29.0/include/ -o server -L/opt/awslc-1.29.0/lib/ -lssl -lcrypto -Wl,-rpath,/opt/awslc-1.29.0/lib/
Building with OpenSSL:
gcc server.c -o server -lssl -lcrypto
server.c.txt
Output with openssl 3.0.13:
Output with AWS-LC 1.29.0:
Solution:
SSL_get_ciphers()
should maybe return the content of bothssl->ctx->tls13_cipher_list.get()
andssl->ctx->cipher_list->ciphers.get()
instead of only the later.The text was updated successfully, but these errors were encountered: