Re: [TLS] BoringSSL's TLS test suite

Sun, 25 Sep 2016 14:07:47 -0700

Have you noticed that BoringSSL seems to abort handshakes with an illegal_parameter alert, if the server certificate uses the standard compliant (albeit highly unusual) DER encoding of NULL OPTIONAL as the empty string, instead of the non-standard but ubiquitous 0x05 0x00 encoding?
Is this just a regression bug in BoringSSL, or is it an intentional restriction of the TLS protocol that should be propagated to other implementations as well? 

On 2016-08-16 20:08, David Benjamin wrote:

Hi folks,

BoringSSL has developed a test harness[1] that consists of a fork of
Go’s crypto/tls package (recently dubbed “BoGo" at the Berlin hackathon)
plus a test runner that allows BoGo to be run against the TLS stack
under test. BoGo can be configured to behave in a number of unexpected
ways that violate the TLS standard, thus enabling the testing of many
scenarios that would be otherwise difficult to obtain with a standard
stack. We (David Benjamin and Eric Rescorla) have been getting it to
work with NSS and wanted to let others know in case they might find it
useful.

This system was initially designed to work with BoringSSL, but in
principle can be used with any stack. The portability is still a little
rough, and we'll likely make changes as we get more experience here, but
it has already been used to test NSS[2] and OpenSSL[3]. We've written up
some notes at [4].

The test suite should be fairly extensive for DTLS and TLS 1.2 (giving
around 75% line coverage in BoringSSL’s TLS code at last count). It
tests TLS 1.3 as well, though those tests are still in progress. They
track BoringSSL’s in-progress TLS 1.3 implementation.

David and Eric

[1] https://boringssl.googlesource.com/boringssl/+/master/ssl/test/
[2] https://hg.mozilla.org/projects/nss/file/tip/external_tests/nss_bogo_shim
[3] https://github.com/google/openssl-tests
[4] https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to