Page MenuHomeFreeBSD

ktls: Fix non-inplace TLS 1.3 encryption.
ClosedPublic

Authored by jhb on Mar 10 2021, 12:33 AM.

Details

Summary

Copy the iovec for the trailer from the proper place. This is the same
fix for CBC encryption from ff6a7e4ba6bf.

Reported by: gallatin
Fixes: 49f6925ca

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jhb requested review of this revision.Mar 10 2021, 12:33 AM

Sample commands to test TLS 1.3 on a client against an nginx server:

# AES-GCM with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2
# CHACHA20 with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher CHACHA20

# AES-GCM with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3
# CHACHA20 with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256

For AES-CBC you need a noetm.conf file:

openssl_conf = openssl_init

[openssl_init]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]

Options = -EncryptThenMac

and then you can test that this way:

env OPENSSL_CONF=noetm.cnf openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher AES256-SHA

Other ciphers you can use for AES-CBC are AES-SHA, AES-SHA256, and AES256-SHA256.

In my case "bigfile" is a 1GB file of junk in /usr/local/www/nginx.

This revision is now accepted and ready to land.Mar 10 2021, 12:38 AM
This revision was automatically updated to reflect the committed changes.